Bug 2485427 (CVE-2026-11785)

Summary: CVE-2026-11785 389-ds-base: 389-ds-base: partial stack address information leak via ber_printf type confusion in SSO token handler
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aadhikar, bsmejkal, jachapma, mreynolds, progier, rhel-process-autobot, snegrini, spichugi, tbordaz, vashirov, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2026-06-05 12:25:20 UTC 
A type confusion bug in extop_handle_ldapssotoken_request() (extendop.c) passes a stack pointer (&rc) to ber_printf with format 'i' which expects an integer. The low 32 bits of a stack address are encoded into every SSO token LDAP extended operation response.

Any authenticated non-administrator user can extract partial stack address information. SSO token feature enabled by default with auto-generated secret (Issue #1797). PoC confirmed on Fedora 42: INTEGER=0x8e7faed8 leaked. Reduces stack ASLR entropy but is not a full bypass.