CVE-2026-11785

Vulnerability

A type confusion flaw exists in the extop_handle_ldapssotoken_request() function within extendop.c in 389 Directory Server. The function passes a stack pointer (&rc) to ber_printf with a format specifier ('i') that expects an integer. This leads to the encoding of the low 32 bits of a stack address into every SSO token LDAP extended operation response. The SSO token feature is enabled by default.

Exploitation

An attacker requires network access to the 389 Directory Server and valid credentials to authenticate as a non-administrator user. The attacker can then trigger an SSO token LDAP extended operation. The server's response will contain the low 32 bits of a stack address, which can be extracted. This vulnerability was confirmed on Fedora 42, where an example leaked value was 0x8e7faed8.

Impact

Successful exploitation allows an authenticated non-administrator user to disclose partial stack address information. This disclosure reduces the effectiveness of stack-based Address Space Layout Randomization (ASLR) but does not constitute a full bypass. The information gained could potentially aid an attacker in further exploitation attempts.

Mitigation

This vulnerability has been fixed. The fixed version is not explicitly mentioned in the available references, but the issue is tracked under bug ID 2485427 [2]. No workarounds are described, and there is no information regarding an End-of-Life status or if this has been listed on the Known Exploited Vulnerabilities (KEV) catalog.