Description
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
Published: 2026-06-09
Score: 4.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in 389 Directory Server’s SMD5 password storage plugin results in an unsigned integer underflow when the plugin calculates the salt length from a crafted password hash that is shorter than 16 bytes. The underflow causes a buffer over-read, which in turn crashes the LDAP server during authentication. The consequence is a denial‑of‑service condition that prevents the directory service from responding to client requests.

Affected Systems

Red Hat Directory Server versions 11, 12, and 13, and all Red Hat Enterprise Linux releases 6 through 10 are affected by the vulnerability.

Risk and Exploitability

The CVSS score is 4.9, indicating moderate severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw by prompting the server to process a carefully crafted, short password hash during authentication, triggering a crash that results in a denial of service. The attack appears to be possible from a remote LDAP client that can send authentication requests to the vulnerable server, though it does not provide code execution or data exfiltration capabilities.

Generated by OpenCVE AI on June 9, 2026 at 14:52 UTC.

Remediation

Vendor Workaround

Disable nsslapd-allow-hashed-passwords (default: off) to prevent non-DM users from setting pre-hashed passwords. Restrict Directory Manager credentials; limit DM access to management networks and audit DM operations via nsslapd-auditlog. Monitor for suspicious userPassword modifications. Migrate stored passwords from {SMD5} to {PBKDF2_SHA256} to eliminate the vulnerable code path for existing accounts.

OpenCVE Recommended Actions

  • Disable nsslapd-allow-hashed-passwords to prevent non-Directory Manager users from setting pre‑hashed passwords.
  • Restrict Directory Manager credentials to management networks and enable audit logging (nsslapd-auditlog) to monitor privileged operations.
  • Migrate all stored passwords from the vulnerable {SMD5} format to the safer {PBKDF2_SHA256} scheme, eliminating the vulnerable code path for existing accounts.
  • Regularly audit userPassword modifications to detect suspicious changes that may indicate attempts to exploit the flaw.
  • Where possible, remove or disable the SMD5 password storage plugin if the environment no longer requires it.

Generated by OpenCVE AI on June 9, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Tue, 09 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
Title 389-ds-base: 389-ds-base: smd5 password storage plugin salt length integer underflow crash
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-191
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Directory Server Enterprise Linux Redhat Directory Server
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-09T16:16:07.367Z

Reserved: 2026-06-09T12:58:52.530Z

Link: CVE-2026-11789

cve-icon Vulnrichment

Updated: 2026-06-09T16:16:02.791Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T14:16:37.070

Modified: 2026-06-09T14:42:21.530

Link: CVE-2026-11789

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:41Z

Weaknesses