VYPR
← All advisories
High severity7.5NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-9064

CVE-2026-9064

Description

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unbounded LDAP controls check in 389-ds-base allows a remote unauthenticated attacker to cause CPU and heap exhaustion, leading to denial of service.

Vulnerability

A flaw exists in 389-ds-base in the get_ldapmessage_controls_ext() function, which processes LDAP controls. The function does not enforce an upper bound on the number of controls per LDAP message. An unauthenticated attacker can craft a single LDAP request containing up to hundreds of thousands of minimal controls within the default maximum BER message size of 2 MB. This issue affects versions prior to the fix [1][2].

Exploitation

The attacker requires no authentication and no special network position; the LDAP server must be reachable. The attacker sends a single specially crafted LDAP request containing an excessive number of small controls. The server processes each control, leading to amplified per-control CPU cycles and heap allocations. By sending the request repeatedly (concurrent exploitation), the attacker can exhaust server resources [1][2].

Impact

Successful exploitation results in excessive CPU consumption and high heap memory allocation, causing significant latency degradation, worker thread starvation, or out-of-memory termination. The overall outcome is a denial of service (DoS) affecting the LDAP server's availability [1][2].

Mitigation

A fix has been committed to the 389-ds-base repository. Users should update to the latest patched version as released by Red Hat or the 389 Directory Server project. No workarounds are disclosed in the available references [1][2].

References
  1. cve-details
  2. unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.