CVE-2026-11793

Vulnerability

A stack buffer overflow flaw exists in the checkPrefix() function within pw.c in 389 Directory Server. When parsing reversible-encrypted attribute values, the function copies an attacker-controlled algorithm ID into a 256-byte stack buffer without performing bounds checking. This affects versions of 389 Directory Server used in RHEL 7, RHEL 8, and Fedora 42 [2].

Exploitation

An attacker requires Directory Manager privileges on the target 389 Directory Server. They must store a crafted credential or configuration attribute (like nsDS5ReplicaCredentials) containing an oversized algorithm ID within the reversible-encrypted format {SCHEME-}ciphertext. This crafted data can be injected via cn=config or similar local configuration methods [2].

Impact

Successful exploitation allows an attacker to crash the ns-slapd process, resulting in a denial of service (DoS) for the LDAP server. Due to the FORTIFY_SOURCE mitigation, code execution is not possible on production builds, limiting the impact to a crash (SIGABRT) [2].

Mitigation

This vulnerability has been fixed in 389 Directory Server. Specific patched versions are available for RHEL 7, RHEL 8, and Fedora 42 [2]. Users should update to the patched versions to remediate the issue. No workarounds are described in the available references [1, 2].