CVE-2026-11792

Vulnerability

A heap buffer overflow exists in the create_masked_entry_string() function within auditlog.c in 389 Directory Server. This flaw occurs when audit logging is enabled and a short cleartext password is logged, causing a fixed-length password mask to overflow a precisely-sized heap buffer. This vulnerability affects versions of 389 Directory Server present in RHEL 9.6 and RHEL 10, introduced by commit bfeaa8d in July 2025 [3].

Exploitation

An attacker can exploit this vulnerability by triggering the logging of a short cleartext password. This requires audit logging to be enabled and either the passwordStorageScheme to be set to CLEAR (which is explicitly discouraged) or a compromised replication peer to send short cleartext passwords via replicated ADD operations, bypassing password hashing. The overflow occurs when the strcpy function copies the password mask into the buffer [3].

Impact

Successful exploitation of this heap buffer overflow can lead to heap memory corruption and the corruption of audit log output. While the exact consequences depend on the memory layout and allocator behavior, it could potentially lead to denial-of-service or, in some scenarios, information disclosure or arbitrary code execution if the heap corruption can be further manipulated [3].

Mitigation

This vulnerability has been addressed in updated packages for 389-ds-base. Specifically, it is included in RHBA-2025:15534 for Red Hat Enterprise Linux 9 [1]. The issue is fixed in RHEL 9.6 and RHEL 10. No specific workaround is mentioned, but ensuring audit logging is disabled or using secure password storage schemes other than CLEAR may reduce the attack surface. The vulnerability is not present in RHEL 7, RHEL 8, or RHEL 9.0-9.5 [3].