Description
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
Published: 2026-06-09
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the PBKDF2-SHA256 password storage plugin of 389 Directory Server, where an unbounded iteration count is accepted from stored password hashes. When a privileged attacker modifies or injects a password hash containing a very large iteration count, authentication attempts trigger excessive CPU usage, leading to service disruption for the entire directory server instance. The weakness is classified as Resource Exhaustion (CWE-400), and the impact manifests as a denial of service capable of affecting all users bound to the compromised account or the entire service, depending on resource constraints.

Affected Systems

The affected products are Red Hat Directory Server versions 11, 12, and 13, as well as Red Hat Enterprise Linux releases 6 through 10. Any installation of these products that permits trusted users to set or alter userPassword attributes with the PBKDF2-SHA256 plugin is vulnerable, regardless of kernel or system version.

Risk and Exploitability

The published CVSS score of 4.9 indicates moderate severity, and the current EPSS score is not available, while the vulnerability is not listed in the CISA KEV catalog. The primary attack vector is internal or privileged modification of a hash; an attacker with Directory Manager privileges—or any role capable of editing userPassword fields—can create a poisoned hash that forces the server to perform an exorbitant number of PBKDF2 iterations during bind operations, exhausting CPU resources. Because the flaw requires direct modification of stored credentials, it is less likely to be exploited remotely without elevated privileges, but once in reach it can trigger an immediate denial of service.

Generated by OpenCVE AI on June 9, 2026 at 14:51 UTC.

Remediation

Vendor Workaround

Disable nsslapd-allow-hashed-passwords (default: off) to prevent non-DM users from setting pre-hashed passwords. Restrict Directory Manager credentials; limit DM access to management networks and audit DM operations via nsslapd-auditlog. Monitor for suspicious userPassword modifications (unusual hash schemes or large base64 payloads). Monitor for unusually long bind operations to the same account, which may indicate a poisoned PBKDF2 hash.

OpenCVE Recommended Actions

  • Disable the "nsslapd-allow-hashed-passwords" setting so that non‑Directory Manager users cannot set pre‑hashed passwords.
  • Restrict Directory Manager credentials to trusted, isolated networks and enable audit logging for DM operations (nsslapd-auditlog).
  • Monitor for suspicious modifications to userPassword attributes, especially unusually large base64 payloads or uncommon hash schemes, and review logs for suspicious bind activity.

Generated by OpenCVE AI on June 9, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Tue, 09 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
Title 389-ds-base: 389-ds-base: pbkdf2 password storage plugin unbounded iteration count denial of service
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-400
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Directory Server Enterprise Linux Redhat Directory Server
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-09T13:29:01.281Z

Reserved: 2026-06-09T13:00:11.043Z

Link: CVE-2026-11790

cve-icon Vulnrichment

Updated: 2026-06-09T13:28:57.873Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T14:16:37.197

Modified: 2026-06-09T14:42:21.530

Link: CVE-2026-11790

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:39Z

Weaknesses