CVE-2026-11790
Description
389 Directory Server's PBKDF2-SHA256 plugin allows DoS by crafting password hashes with excessive iteration counts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
389 Directory Server's PBKDF2-SHA256 plugin allows DoS by crafting password hashes with excessive iteration counts.
Vulnerability
The PBKDF2-SHA256 password storage plugin in 389 Directory Server does not enforce an upper bound on the iteration count extracted from stored password hashes. This affects both the C plugin (pbkdf2_pwd.c) and the Rust plugin (pwdchan/lib.rs). This vulnerability was introduced in 389-ds-base 1.3.6 [2].
Exploitation
A privileged attacker with Directory Manager privileges can modify a user's password hash to include an extremely high iteration count (e.g., 0x7FFFFFFF). Any subsequent LDAP BIND operation for that user will trigger excessive CPU consumption [2].
Impact
Successful exploitation leads to denial of service by consuming excessive CPU resources, potentially hanging a worker thread for hours. This can result in a persistent denial of service condition for the affected user account [2].
Mitigation
This issue is fixed in 389-ds-base. The specific fixed version and release date are not yet disclosed in the available references. No workarounds are mentioned [1, 2].
AI Insight generated on Jun 9, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The PBKDF2-SHA256 password storage plugin does not validate the iteration count extracted from password hashes."
Attack vector
An attacker with Directory Manager privileges can modify a user's password hash to include an extremely high iteration count, such as 0x7FFFFFFF [ref_id=1]. When a user attempts to authenticate with this crafted hash, the server performs an excessive number of CPU-intensive operations. This unbounded CPU consumption can hang a worker thread for an extended period, leading to a denial of service [ref_id=1].
Affected code
Both the C implementation (pbkdf2_pwd.c) and the Rust implementation (pwdchan/lib.rs) of the PBKDF2-SHA256 password storage plugin are affected by this vulnerability [ref_id=1]. The issue was introduced in 389-ds-base version 1.3.6.
What the fix does
The advisory indicates that the PBKDF2-SHA256 password storage plugin needs an upper bound check for the iteration count. While a specific patch is not provided, the fix involves implementing this validation to prevent excessively high iteration counts from being used during password hashing and authentication. This ensures that the server does not enter a state of unbounded CPU consumption [ref_id=1].
Preconditions
- authAttacker must have Directory Manager privileges.
- inputAttacker must be able to modify a user's password hash.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.