Description
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Published: 2026-05-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in get_ldapmessage_controls_ext() of 389-ds-base, where the LDAP server does not enforce an upper bound on the number of controls per message. A remote, unauthenticated attacker can send an LDAP request packed with hundreds of thousands of minimal controls within the default 2‑MB BER size limit, provoking excessive CPU consumption and large heap allocations. Under sustained or concurrent exploitation the server may experience severe latency, worker‑thread starvation, or out‑of‑memory termination, ultimately causing a denial of service.

Affected Systems

Affected products are Red Hat Directory Server versions 11, 12 and 13 as well as Red Hat Enterprise Linux releases 6, 7, 8, 9 and 10. These systems rely on the vulnerable 389-ds-base component.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate severity, and while an EPSS score is not available, the lack of a KEV listing suggests no publicly demonstrated exploits yet. The attack vector is remote, unauthenticated via the LDAP service on ports 389/636. Because the vulnerability accepts any number of controls, an attacker only needs network connectivity to the LDAP port and does not require privileged credentials. The resulting CPU and heap amplification can overwhelm service threads, making the server unresponsive to legitimate requests.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Remediation

Vendor Workaround

Restrict network access to the LDAP port (389/tcp, 636/tcp) to trusted networks only using firewall rules or network ACLs. This prevents untrusted remote attackers from reaching the vulnerable code path. Optionally, lower the nsslapd-maxbersize configuration parameter to reduce the maximum BER message size accepted by the server. Note that this caps bytes, not the number of controls, and does not fully eliminate the amplification. Setting it too low may impact legitimate LDAP operations with large payloads.

OpenCVE Recommended Actions

  • Apply the vendor‑released security update for Red Hat Directory Server and RHEL that limits LDAP control count.
  • Restrict LDAP traffic to trusted networks using firewall rules or ACLs to prevent untrusted remote access.
  • Optionally configure the nsslapd-maxbersize parameter to a lower value to reduce the maximum BER message size, noting that this may affect legitimate LDAP operations.

Generated by OpenCVE AI on May 20, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Title 389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-770
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Redhat Directory Server Enterprise Linux
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-20T13:41:09.059Z

Reserved: 2026-05-20T08:19:21.037Z

Link: CVE-2026-9064

cve-icon Vulnrichment

Updated: 2026-05-20T13:40:44.035Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T10:16:28.940

Modified: 2026-05-20T14:02:12.280

Link: CVE-2026-9064

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-20T07:30:00Z

Links: CVE-2026-9064 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T11:30:26Z

Weaknesses