An integer overflow in the 389 Directory Server SASL I/O layer allows any SASL-authenticated user to bypass the nsslapd-maxsasliosize packet size limit and crash the LDAP server, with potential code execution on older platforms (RCE demonstrated on RHEL 8 via tcache poisoning).

After authenticating with Kerberos or DIGEST-MD5, an attacker sends a SASL-framed packet with a crafted 4-byte length prefix of 0xFFFFFFFC. In sasl_io_start_packet() (sasl_io.c:372-374), packet_length += sizeof(uint32_t) wraps to 0, bypassing the size limit check. sasl_io_read_packet() then computes bytes_remaining underflow, and NSPR passes a near-maximum recv() size into a 1024-byte encrypted_buffer — a controlled heap buffer overflow of up to maxbersize (~2MB).

In FreeIPA/IdM deployments, any domain user with a Kerberos ticket, enrolled host, or service account can trigger this remotely.

Introduced when the SASL I/O layer was first added to 389-ds-base. Independent of Finding 008 (different code path in same file). CVE-2025-14905 fix patched schema.c only; sasl_io.c untouched.

DoS confirmed on Fedora 42 (GDB-verified) and RHEL 8 production binary. RCE demonstrated on RHEL 8 (glibc 2.28) via tcache poisoning; blocked on glibc 2.32+ by safe linking.