Bug 2485422 (CVE-2026-11789)

Summary: CVE-2026-11789 389-ds-base: 389-ds-base: SMD5 password storage plugin salt length integer underflow crash
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadhikar, bsmejkal, jachapma, mreynolds, progier, rhel-process-autobot, snegrini, spichugi, tbordaz, vashirov, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-05 12:25:03 UTC 
The SMD5 password storage plugin in 389 Directory Server computes salt length by subtracting MD5_LENGTH (16) from the decoded hash length using unsigned 32-bit arithmetic. When the stored hash is shorter than 16 bytes, the subtraction wraps to approximately 4GB. PK11_DigestOp() then reads from a small stack buffer into unmapped memory, crashing ns-slapd with SIGSEGV.

An attacker with Directory Manager privileges plants a crafted SMD5 hash; any subsequent BIND triggers instant crash. Missed variant of CVE-2024-5953 which patched md5_pwd.c and pbkdf2_pwd.c but not smd5_pwd.c.

Present since smd5_pwd.c creation (~2005). PoC confirmed on Fedora 42 production binary.