CVE-2026-11774

Vulnerability

An integer overflow in sasl_io_start_packet() of 389 Directory Server (389-ds-base) allows a crafted SASL packet length prefix of 0xFFFFFFFC to wrap to zero when sizeof(uint32_t) is added, bypassing the nsslapd-maxsasliosize limit. This leads to a heap buffer overflow of up to 2 MB of attacker-controlled data. The flaw affects all versions where the SASL I/O layer exists, independent of CVE-2025-14905 which patched schema.c only [1][2].

Exploitation

After a successful SASL bind with integrity protection (SSF > 0), a remote attacker sends a SASL-framed packet with length prefix 0xFFFFFFFC. The overflow in sasl_io_read_packet() causes bytes_remaining underflow, and NSPR passes a near-maximum recv() size into a 1024-byte encrypted_buffer, triggering a controlled heap buffer overflow [2]. In FreeIPA/IdM deployments, any domain user with a Kerberos ticket, enrolled host, or service account can trigger this [1][2].

Impact

The attacker can cause a Denial of Service (DoS) via server crash or potentially achieve Remote Code Execution (RCE). RCE was demonstrated on RHEL 8 (glibc 2.28) via tcache poisoning, but is blocked on glibc 2.32+ by safe linking [2]. The compromise occurs at the LDAP server level, with privileges of the directory server process.

Mitigation

Red Hat has not yet released a fix; the vulnerability is tracked in Bugzilla [2]. Administrators should monitor for updates to 389-ds-base. No workaround is documented. The issue is not listed in CISA's KEV as of publication.