How is CVE-2026-11774 exploited?

Network reachability (required): The attacker must reach the 389 Directory Server LDAP service over the network; the vulnerable SASL packet processing path is exposed on the standard LDAP/LDAPS port. Authentication (required): A low-privilege account is sufficient: the attacker must complete a SASL bind with integrity protection (SSF greater than 0), achievable with any valid Kerberos ticket, enrolled host credential, or domain service account. Victim interaction (not-required): No user interaction is required; the attacker sends a crafted SASL packet directly to the server without any victim action. Attack complexity (info): Attack complexity is low, meaning the overflow can be triggered reliably without race conditions or special environmental prerequisites, though achieving code execution beyond DoS may depend on heap memory layout at the time of exploitation.

What is the impact of CVE-2026-11774?

Crashes the 389 Directory Server process, taking down LDAP authentication and directory lookups for all dependent services and users. Writes up to approximately 2 megabytes of attacker-controlled data past the end of a heap allocation, creating conditions for arbitrary code execution on the host running the directory server. In FreeIPA and Red Hat Identity Management environments, a compromised directory server exposes all stored user accounts, group memberships, host records, and Kerberos principal data to further attack. Confidentiality and integrity of directory data are at partial risk alongside the high availability impact, per the CVSS C:L/I:L/A:H scoring.

Back to search

HIGHCVE-2026-11774Published 2026-06-11Modified 2026-06-12CNA redhat

CVE-2026-11774: 389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 8

HarborGuard Analysis

Synopsis

An integer overflow in the SASL I/O layer of 389 Directory Server (389-ds-base) allows a remote attacker to bypass the configured maximum SASL I/O size limit and trigger a heap buffer overflow. The vulnerability is reachable over the network by any authenticated user who has completed a SASL bind with integrity protection, meaning a low-privilege domain account, enrolled host credential, or Kerberos service ticket is sufficient. Successful exploitation crashes the directory server or, under favorable memory layout conditions, achieves remote code execution. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-11774 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including Red Hat Security Advisories) within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images derived from RHEL or Red Hat Directory Server base layers.

Available

Triage

HarborGuard scores this CVE at 7.6 HIGH per CVSS v3.1 and surfaces it with that severity weighting inside each customer environment. Per-environment compliance policy rules can further escalate or route the finding to the appropriate team inbox based on workload classification, asset criticality, or regulatory context.

Available

Patch

Because no upstream fix version has been published for CVE-2026-11774, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Red Hat ships a corrected package. For customers who opt into auto-remediation, the rebuild, regression test run, and pull request against affected workloads will be triggered without manual intervention once the fix lands upstream.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the 389 Directory Server LDAP service over the network; the vulnerable SASL packet processing path is exposed on the standard LDAP/LDAPS port.
AuthenticationRequired
A low-privilege account is sufficient: the attacker must complete a SASL bind with integrity protection (SSF greater than 0), achievable with any valid Kerberos ticket, enrolled host credential, or domain service account.
Victim interactionNot required
No user interaction is required; the attacker sends a crafted SASL packet directly to the server without any victim action.
Attack complexityDetail
Attack complexity is low, meaning the overflow can be triggered reliably without race conditions or special environmental prerequisites, though achieving code execution beyond DoS may depend on heap memory layout at the time of exploitation.

Blast Radius

Crashes the 389 Directory Server process, taking down LDAP authentication and directory lookups for all dependent services and users.
Writes up to approximately 2 megabytes of attacker-controlled data past the end of a heap allocation, creating conditions for arbitrary code execution on the host running the directory server.
In FreeIPA and Red Hat Identity Management environments, a compromised directory server exposes all stored user accounts, group memberships, host records, and Kerberos principal data to further attack.
Confidentiality and integrity of directory data are at partial risk alongside the high availability impact, per the CVSS C:L/I:L/A:H scoring.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-11774 as of the CVE publication date, HarborGuard continuously re-checks the Red Hat advisory on every ingest cycle. The moment Red Hat ships a corrected 389-ds-base package, a patched-image rebuild becomes available, and customers with auto-remediation enabled receive a rebuilt image, an automated regression test run, and a pull request opened against affected workloads with no manual steps required. In the interim, compensating controls worth considering include applying network policy rules to restrict LDAP port access to known client CIDRs, enforcing GSSAPI/Kerberos pre-authentication controls to reduce the pool of accounts that can reach the vulnerable SASL bind path, and tagging affected directory-server images in HarborGuard with a block-on-deploy policy where compliance rules permit. Where compliance policy permits, customers can configure HarborGuard alerts to fire on any new image push that introduces an affected 389-ds-base layer, giving teams immediate visibility before deployment.

See how HarborGuard automates this

Affected packages

Red Hat / Red Hat Directory Server 11
Red Hat / Red Hat Directory Server 12
Red Hat / Red Hat Directory Server 13
Red Hat / Red Hat Enterprise Linux 10
Red Hat / Red Hat Enterprise Linux 6
Red Hat / Red Hat Enterprise Linux 7
Red Hat / Red Hat Enterprise Linux 8
Red Hat / Red Hat Enterprise Linux 9

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

References

Metrics

Get notified