Bug 2495003 - CVE-2026-11788 389-ds-base: 389-ds-base: NULL pointer dereference in deref control plugin BER parser [fedora-all]
Summary: CVE-2026-11788 389-ds-base: 389-ds-base: NULL pointer dereference in deref co...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: 389-ds-base
Version: rawhide
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: mreynolds
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["adb64b26-9ac7-49c3-98ae-f...
Depends On:
Blocks: CVE-2026-11788
TreeView+ depends on / blocked
 
Reported: 2026-06-30 16:01 UTC by Samuele Negrini
Modified: 2026-06-30 16:01 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:
fedora-admin-xmlrpc: mirror+


Attachments (Terms of Use)

Description Samuele Negrini 2026-06-30 16:01:10 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

The dereference control plugin in 389 Directory Server fails to check the return value of ber_init() for NULL before use in deref_parse_ctrl_value() (deref.c). When memory allocation fails under memory pressure, an unauthenticated LDAP client sending a search with the deref control can crash ns-slapd.

The deref plugin is enabled by default. Crash confirmed via GDB fault injection on Fedora 42 (SIGABRT) and CentOS 7 (SIGSEGV on OpenLDAP 2.4). Vulnerable code present since deref plugin introduction in 389-ds-base 1.2.6 (~2010).


Note You need to log in before you can comment on or make changes to this bug.