Bug 2484916 (CVE-2026-11774)

Summary: CVE-2026-11774 389-ds-base: 389-ds-base: integer overflow in SASL packet length bypasses size limit leading to heap buffer overflow
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aadhikar, bsmejkal, jachapma, mreynolds, progier, rhel-process-autobot, snegrini, spichugi, tbordaz, vashirov, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-04 21:00:45 UTC 
An integer overflow in the 389 Directory Server SASL I/O layer allows any SASL-authenticated user to bypass the nsslapd-maxsasliosize packet size limit and crash the LDAP server, with potential code execution on older platforms (RCE demonstrated on RHEL 8 via tcache poisoning).

After authenticating with Kerberos or DIGEST-MD5, an attacker sends a SASL-framed packet with a crafted 4-byte length prefix of 0xFFFFFFFC. In sasl_io_start_packet() (sasl_io.c:372-374), packet_length += sizeof(uint32_t) wraps to 0, bypassing the size limit check. sasl_io_read_packet() then computes bytes_remaining underflow, and NSPR passes a near-maximum recv() size into a 1024-byte encrypted_buffer — a controlled heap buffer overflow of up to maxbersize (~2MB).

In FreeIPA/IdM deployments, any domain user with a Kerberos ticket, enrolled host, or service account can trigger this remotely.

Introduced when the SASL I/O layer was first added to 389-ds-base. Independent of Finding 008 (different code path in same file). CVE-2025-14905 fix patched schema.c only; sasl_io.c untouched.

DoS confirmed on Fedora 42 (GDB-verified) and RHEL 8 production binary. RCE demonstrated on RHEL 8 (glibc 2.28) via tcache poisoning; blocked on glibc 2.32+ by safe linking.