CVE-2026-11884

Vulnerability

A heap buffer overflow flaw exists in 389 Directory Server's schema serialization code, specifically within the read_schema_dse() and schema_oc_to_string() functions. The length of the oc_superior (SUP) field is omitted from buffer size calculations, but the field is still written using strcat(). This vulnerability is an incomplete fix variant of CVE-2025-14905 [3]. Variant 1 in read_schema_dse overflows with SUP values around 248 bytes, while Variant 2 in schema_oc_to_string overflows with SUP values around 62 bytes [3].

Exploitation

An attacker requires Directory Manager privileges or control over a replication supplier to trigger this vulnerability. The attacker can create objectclasses with long oc_superior values to cause a heap buffer overflow. In replication scenarios, a compromised supplier can push malicious schema definitions to consumers [3].

Impact

Successful exploitation of this vulnerability can lead to a server crash, resulting in a Denial of Service (DoS). While RCE is not considered feasible on x86_64 due to the nature of the overflow content, the primary impact is the disruption of service [3].

Mitigation

This issue has been addressed in Red Hat Enterprise Linux 8.6 and 8.8 via RHSA-2026:5511 and RHSA-2026:5576, respectively [2]. Specific fixed versions and release dates for other products are not yet disclosed in the available references.