A use-after-free vulnerability exists in 389 Directory Server's schema reload mechanism. The attr_syntax_swap_ht() function (attrsyntax.c:1639-1665) frees all attribute syntax info nodes unconditionally via attr_syntax_free(), bypassing the refcount-based deferred deletion pattern used by attr_syntax_delete_no_lock() in the same file.
When an administrator triggers a schema reload (dsconf schema reload or cn=schema,cn=config modification) while concurrent LDAP query traffic is active, query threads that hold asyntaxinfo references after releasing the read lock access freed memory. Subsequent access or attr_syntax_return() on the dangling pointer causes use-after-free or double-free, crashing ns-slapd with SIGSEGV.
The race window is narrow (nanoseconds to low microseconds). GDB-controlled reproduction confirmed UAF with MALLOC_PERTURB_=170 and double-free crash. Stress testing (380 reloads + 12 query threads, 80s) did not trigger a natural crash.
Contributing factor: slapi_attr_is_dn_syntax_type() leaks asi_refcnt by calling attr_syntax_get_by_name() without attr_syntax_return(), increasing the probability of nodes with outstanding references when swap_ht frees them.
Introduced with the dynamic schema reload feature. Present in all shipped 389-ds-base versions with schema reload support. CVE-2025-14905 fix patched schema.c only; attrsyntax.c untouched.