The flaw resides in 389 Directory Server’s schema reload mechanism. Inside the attr_syntax_swap_ht() function, attribute syntax nodes are freed unconditionally, bypassing the reference‑counted safe‑deletion logic used elsewhere. When an administrator triggers a schema reload while LDAP clients are actively querying the server, worker threads may dereference the freed memory, yielding a use‑after‑free or double‑free. The immediate consequence is a server crash, leading to a denial of service. The weakness is a classic use‑after‑free (CWE‑416).

Affected systems include Red Hat Directory Server releases 11, 12, and 13 on a variety of Red Hat Enterprise Linux platforms – RHEL 10, RHEL 6, RHEL 7, RHEL 8, and RHEL 9. Any installation that incorporates the 389 Directory Server component on these operating systems is potentially vulnerable to the crash described above.

The CVSS score of 5 indicates moderate severity and the issue is not listed in the CISA KEV catalog. EPSS data is unavailable, so the current exploitation likelihood cannot be quantified. Exploitation requires the ability to initiate a schema reload, typically granted to privileged administrators who have write rights to cn=schema,cn=config. If an attacker can trigger a reload while concurrent query traffic is active, they can force the directory service to restart. Therefore, the risk lies primarily in the availability of the LDAP service rather than confidentiality or integrity. The vulnerability is triggered by legitimate administrative operations and therefore the attack vector is likely local, or any entity with sufficient privilege to modify schema.