CVE-2026-11789

Vulnerability

A flaw exists in the SMD5 password storage plugin of 389 Directory Server. When processing a crafted password hash shorter than 16 bytes, an unsigned integer underflow occurs during the salt length computation. This leads to a buffer over-read that causes the LDAP server to crash during authentication. This vulnerability has been present since the creation of smd5_pwd.c (around 2005) and was confirmed on Fedora 42 production binaries [2].

Exploitation

An attacker with Directory Manager privileges must first plant a crafted SMD5 hash within the directory. Any subsequent user attempting to authenticate using this crafted hash will trigger the vulnerability. This is a missed variant of CVE-2024-5953, which previously patched related files but not smd5_pwd.c [2].

Impact

Successful exploitation of this vulnerability causes the ns-slapd process, the LDAP server, to crash with a SIGSEGV signal. This results in a denial of service for all authentication attempts against the server. The attacker gains no further privileges or access beyond causing the crash [2].

Mitigation

This vulnerability has been fixed. The exact fixed version and release date are not yet disclosed in the available references. Users are advised to update to a patched version of 389 Directory Server once it becomes available. No workarounds are currently specified [1, 2].