Bug 2484915 (CVE-2026-11792) - CVE-2026-11792 389-ds-base: 389-ds-base: heap buffer overflow in audit log password masking (create_masked_entry_string)
Summary: CVE-2026-11792 389-ds-base: 389-ds-base: heap buffer overflow in audit log pa...
Keywords:
Status: NEW
Alias: CVE-2026-11792
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-04 20:43 UTC by OSIDB Bzimport
Modified: 2026-06-09 13:04 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-04 20:43:06 UTC 
A heap buffer overflow exists in 389 Directory Server's audit log password masking feature. The create_masked_entry_string() function (auditlog.c:109) uses strcpy to write a fixed 24-byte mask string into a precisely-sized heap buffer from slapi_entry2str(). When a password value is shorter than 23 characters, the copy overflows past the allocated buffer boundary.

Trigger conditions require non-default configuration: audit logging enabled AND either passwordStorageScheme=CLEAR (explicitly discouraged) or a compromised replication peer sending short cleartext passwords via replicated ADD (repl_op bypasses password hashing).

Introduced by commit bfeaa8d (Issue 6884, July 2025) and backported to RHEL 9.6 (RHEL-109954) and RHEL 10 (RHEL-107035). Not present in RHEL 7, RHEL 8, or RHEL 9.0-9.5.

Production testing: heap corruption confirmed in audit log output on live server; ASan PoC confirms overflow. Production binaries may absorb overflow in allocator padding without immediate crash.

Advisory: 389-ds-campaign-2026-04/006-Auditlog-Heap-Overflow/advisory.md. Source: PSIRTSUPT-7600 (Ian Murphy, Red Hat Product Security).
Note You need to log in before you can comment on or make changes to this bug.