Description
A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
Published: 2026-06-17
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A buffer overflow occurs when 389 Directory Server parses a malformed Access Control Instruction. The __aclp__normalize_acltxt() function does not verify the length of an ACI keyword after whitespace stripping, allowing a one-byte write beyond the allocated buffer and subsequent reads outside bounds. An authenticated user who can write the aci attribute can supply a crafted ACI value, resulting in corruption of heap memory within the directory server process.

Affected Systems

The vulnerability affects Red Hat Directory Server versions 11, 12, and 13 and all Red Hat Enterprise Linux releases from 6 to 10 that include the 389-ds-base package. The affected products are listed as Red Hat Directory Server 11-13 and RHEL 6-10, as identified by the CNA.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. The EPSS score is below 1 %, suggesting low likelihood of widespread exploitation, and the vulnerability is not currently in the CISA KEV catalog. Attack requires an authenticated user with write access to the aci attribute; if write permissions are overly permissive, the flaw can be exploited without elevated privilege. Successful exploitation would corrupt the server’s heap memory and could lead to process instability.

Generated by OpenCVE AI on June 18, 2026 at 20:34 UTC.

Remediation

Vendor Workaround

Ensure that only highly privileged accounts (Directory Manager or explicitly delegated ACI administrators) have write access to the 'aci' attribute. Review existing ACIs for overly broad targetattr rules (especially negated rules like targetattr!="..." or wildcards like targetattr="*") that may inadvertently grant regular users write access to operational attributes including 'aci'. The 389 DS ACI linting tool (lib389) can help identify such misconfigurations.

OpenCVE Recommended Actions

  • Restrict write access to the aci attribute so that only the Directory Manager or explicitly delegated ACI administrators can modify it.
  • Review existing ACIs for overly broad targetattr rules, and correct any misconfigurations. The lib389 ACI linting tool can help identify such policies.
  • Apply any available vendor updates or patch for 389‑ds‑base as soon as they become available; if no patch exists, monitor Red Hat advisories and apply the workaround promptly.

Generated by OpenCVE AI on June 18, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process.
Title 389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-787
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Redhat Directory Server Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-17T18:12:30.719Z

Reserved: 2026-06-17T13:48:38.528Z

Link: CVE-2026-12528

cve-icon Vulnrichment

Updated: 2026-06-17T18:01:10.168Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-03T13:09:01Z

Links: CVE-2026-12528 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:45:03Z

Weaknesses