Bug 2484914 (CVE-2026-11793)
| Summary: | CVE-2026-11793 389-ds-base: 389-ds-base: stack buffer overflow in checkPrefix() algorithm ID parsing | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aadhikar, bsmejkal, jachapma, mreynolds, progier, rhel-process-autobot, snegrini, spichugi, tbordaz, vashirov, watson-tool-maintainers |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A stack buffer overflow flaw was found in 389 Directory Server. The checkPrefix() function in pw.c copies an attacker-controlled algorithm ID into a 256-byte stack buffer without bounds checking when parsing reversible-encrypted attribute values. An attacker with Directory Manager privileges can crash the LDAP server by storing a crafted credential with an oversized algorithm ID. FORTIFY_SOURCE mitigates this to denial of service only.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
A stack buffer overflow exists in 389 Directory Server's checkPrefix() function (pw.c:440-466). When parsing reversible-encrypted attribute values in the format {SCHEME-<algid>}ciphertext, the algorithm ID is copied into a 256-byte stack buffer via memcpy with no bounds check on (end - delim). An attacker with Directory Manager privileges can crash ns-slapd by storing a crafted nsDS5ReplicaCredentials (or similar reversible-encrypted config attribute) with an oversized algorithm ID. FORTIFY_SOURCE (__memcpy_chk) aborts the process before overflow bytes are written, limiting impact to DoS (SIGABRT) only. Code execution is not possible on production builds. Production crashes confirmed on RHEL 7 (389-ds-base-1.3.11.1-5.el7_9) and Fedora 42 (389-ds-base-3.1.4-6.fc42). RHEL 8 crash confirmed via dse.ldif injection (389-ds-base-1.4.3.39-2.module_el8). Note: cn=config is local configuration and not replicated; triggering requires Directory Manager access on the target server. Advisory: 389-ds-campaign-2026-04/003-Stack-Overflow-checkPrefix/advisory.md. Source: PSIRTSUPT-7600 (Ian Murphy, Red Hat Product Security).