CVE-2026-11787

Vulnerability

A heap buffer over-read flaw exists in the ldap_utf8prev() function within 389 Directory Server. This function reads bytes before the start of a buffer without bounds checking, potentially influencing internal filter processing behavior. This issue stems from an API design flaw present since the Mozilla LDAP C SDK import and affects numerous call sites [2].

Exploitation

Exploitation cannot be triggered via the standard LDAP wire protocol, as BER filters are parsed separately. Instead, an attacker must influence data processed by internal callers, such as plugin configurations, ACI definitions, or replication agreements. The vulnerability is triggered when ldap_utf8prev() reads 1-6 bytes before a heap allocation due to a missing lower-bound parameter [2].

Impact

Successful exploitation of this vulnerability may influence internal filter processing behavior. While ASan confirmed the issue on aarch64, no crash was observed on production binaries. The exact impact beyond influencing internal processing is not fully detailed in the available references [2].

Mitigation

This vulnerability has not yet been patched. The root cause of the heap over-read in ldap_utf8prev() has not been fixed, despite previous symptomatic patches. Affected versions are not explicitly listed, and no fixed version or release date is available. No workarounds are currently disclosed [2].