Bug 2497652 - CVE-2026-11610 389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv() via padded SASL UNBIND [fedora-all]
Summary: CVE-2026-11610 389-ds-base: 389-ds-base: Heap buffer overflow in sasl_io_recv...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: 389-ds-base
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: mreynolds
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: {"flaws": ["4cf8fea0-c62c-4210-9d5a-0...
Depends On:
Blocks: CVE-2026-11610
TreeView+ depends on / blocked
 
Reported: 2026-07-07 09:10 UTC by Samuele Negrini
Modified: 2026-07-07 09:10 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:
fedora-admin-xmlrpc: mirror+


Attachments (Terms of Use)

Description Samuele Negrini 2026-07-07 09:10:17 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Finding 008 — 389-ds-base SASL heap overflow in sasl_io_recv().

Vulnerable: ldap/servers/slapd/sasl_io.c (~line 456), SASL_IO_BUFFER_NOT_ENCRYPTED path.
Introduced by commit b4cdebbe (~2013). Missing bounds check on memcpy into 512-byte c_buffer.

Trigger: SASL bind (GSSAPI/DIGEST-MD5), then send padded raw LDAP UNBIND.
DoS confirmed on production binary (389-ds-base-3.1.4-6.fc42).

Fix: add bounds check before memcpy, same pattern as encrypted return path in sasl_io_recv().


Note You need to log in before you can comment on or make changes to this bug.