Bug 2484914 (CVE-2026-11793) - CVE-2026-11793 389-ds-base: 389-ds-base: stack buffer overflow in checkPrefix() algorithm ID parsing
Summary: CVE-2026-11793 389-ds-base: 389-ds-base: stack buffer overflow in checkPrefix...
Keywords:
Status: NEW
Alias: CVE-2026-11793
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-04 20:38 UTC by OSIDB Bzimport
Modified: 2026-06-09 13:05 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-04 20:38:44 UTC 
A stack buffer overflow exists in 389 Directory Server's checkPrefix() function (pw.c:440-466). When parsing reversible-encrypted attribute values in the format {SCHEME-<algid>}ciphertext, the algorithm ID is copied into a 256-byte stack buffer via memcpy with no bounds check on (end - delim).

An attacker with Directory Manager privileges can crash ns-slapd by storing a crafted nsDS5ReplicaCredentials (or similar reversible-encrypted config attribute) with an oversized algorithm ID. FORTIFY_SOURCE (__memcpy_chk) aborts the process before overflow bytes are written, limiting impact to DoS (SIGABRT) only. Code execution is not possible on production builds.

Production crashes confirmed on RHEL 7 (389-ds-base-1.3.11.1-5.el7_9) and Fedora 42 (389-ds-base-3.1.4-6.fc42). RHEL 8 crash confirmed via dse.ldif injection (389-ds-base-1.4.3.39-2.module_el8).

Note: cn=config is local configuration and not replicated; triggering requires Directory Manager access on the target server.

Advisory: 389-ds-campaign-2026-04/003-Stack-Overflow-checkPrefix/advisory.md. Source: PSIRTSUPT-7600 (Ian Murphy, Red Hat Product Security).
Note You need to log in before you can comment on or make changes to this bug.