CVE-2026-11786 PUBLISHED

389-ds-base: 389-ds-base: heap out-of-bounds read in ldif parser str2entry_state_information_from_type()

Assigner: redhat
Reserved: 09.06.2026 Published: 09.06.2026 Updated: 09.06.2026

A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 1.9

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Directory Server 11
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Directory Server 12
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Directory Server 13
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 10
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 6
Versions	Default: unknown

Vendor	Red Hat
Product	Red Hat Enterprise Linux 7
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 8
Versions	Default: affected

Vendor	Red Hat
Product	Red Hat Enterprise Linux 9
Versions	Default: affected

Workarounds

Validate LDIF files for malformed attribute types before importing. Reject any LDIF entry containing attribute types with trailing semicolons (e.g., userCertificate;binary;). Pre-import validation: grep -nE '^[a-zA-Z][a-zA-Z0-9-];[^:];:' input.ldif && echo "REJECT: trailing semicolon in attribute type". This does not protect against the replication changelog path (corrupted stored data), but that path requires pre-existing database corruption, not external input.

References

Problem Types

Out-of-bounds Read CWE