Description
A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
Published: 2026-06-09
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap buffer overflow occurs in the create_masked_entry_string() function of 389 Directory Server’s auditlog.c when audit logging is enabled. The function copies a fixed-length password mask into a heap buffer without verifying available space. If a short cleartext password is logged – a scenario possible when non‑default CLEAR passwordStorageScheme is used or a replication peer is compromised – the buffer is overrun, corrupting heap memory and the audit log output. This corruption can lead to denial of service and potentially allow exploitation if memory is manipulated, but no direct read or arbitrary code execution capability is described in the CVE notes.

Affected Systems

As listed by the CNA, affected products include Red Hat Directory Server versions 11, 12, and 13, and Red Hat Enterprise Linux distributions 6 through 10. No other vendors or versions are specified in the CVE entry.

Risk and Exploitability

The CVSS score of 3.3 indicates a low‑severity vulnerability with limited impact. The EPSS is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires audit logging to be enabled and a short cleartext password to be logged, typically through a misconfigured passwordStorageScheme or a malicious replication peer. These prerequisites lower the probability of successful exploitation, resulting in an overall low risk in most environments.

Generated by OpenCVE AI on June 9, 2026 at 14:51 UTC.

Remediation

Vendor Workaround

Do not use passwordStorageScheme=CLEAR (default PBKDF2-SHA512 produces hashes longer than 23 bytes). Disable audit logging if not required. Monitor replication agreements for unauthorized peers.

OpenCVE Recommended Actions

  • Apply the Red Hat security erratum RHBA‑2025:15534 to update 389 Directory Server and related packages, which patches the heap overflow.
  • Change the passwordStorageScheme from CLEAR to a default scheme such as PBKDF2‑SHA512 to prevent short cleartext passwords from being logged.
  • If immediate patching is not possible, disable audit logging in 389 Directory Server or reduce the set of audited attributes to mitigate the risk.
  • Continuously monitor replication agreements for unauthorized peers to detect and block potential replay of cleartext passwords.

Generated by OpenCVE AI on June 9, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.
Title 389-ds-base: 389-ds-base: heap buffer overflow in audit log password masking (create_masked_entry_string)
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-122
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Redhat Directory Server Enterprise Linux Redhat Directory Server
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-09T13:35:31.641Z

Reserved: 2026-06-09T13:02:09.570Z

Link: CVE-2026-11792

cve-icon Vulnrichment

Updated: 2026-06-09T13:35:28.819Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T14:16:37.353

Modified: 2026-06-09T14:42:21.530

Link: CVE-2026-11792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:36Z

Weaknesses