CVE-2026-11788

Vulnerability

A flaw exists in the dereference control plugin of 389 Directory Server where it fails to check the return value of ber_init() before use in deref_parse_ctrl_value() within deref.c. This issue is present in versions since the introduction of the dereference plugin in 389-ds-base 1.2.6. The dereference control plugin is enabled by default [2].

Exploitation

An unauthenticated remote attacker can trigger this vulnerability by sending a search request with the dereference control to the LDAP server. This attack is most likely to succeed when the system is under memory pressure, causing memory allocation to fail [2].

Impact

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to crash the ns-slapd process, resulting in a denial of service for the LDAP server. The crash has been confirmed via GDB fault injection on Fedora 42 (SIGABRT) and CentOS 7 (SIGSEGV) [2].

Mitigation

This vulnerability has been fixed. The vulnerable code was present since 389-ds-base 1.2.6. No specific fixed version or release date is available in the provided references, but the issue is tracked in Bugzilla [2]. Users should consult Red Hat advisories for specific patch information [1].