Bug 2484913 (CVE-2026-11884) - CVE-2026-11884 389-ds-base: 389-ds-base: heap buffer overflow in schema objectclass serialization due to missing oc_superior in size calculation
Summary: CVE-2026-11884 389-ds-base: 389-ds-base: heap buffer overflow in schema objec...
Keywords:
Status: NEW
Alias: CVE-2026-11884
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-04 20:32 UTC by OSIDB Bzimport
Modified: 2026-06-10 14:00 UTC (History)
11 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-04 20:32:36 UTC 
Two heap buffer overflow vulnerabilities exist in 389 Directory Server schema serialization code. Both are incomplete-fix variants of CVE-2025-14905: the oc_superior (SUP) field length is omitted from buffer size calculations in read_schema_dse() and schema_oc_to_string(), but the field is still written via strcat().

Variant 1 (read_schema_dse, schema.c:1765): triggered during schema DSE reads; overflow at SUP >= ~248 bytes.
Variant 2 (schema_oc_to_string, schema.c:5151): triggered during schema replication comparison; overflow at SUP >= ~62 bytes.

An attacker with Directory Manager privileges can crash the server. In replication topologies, a compromised supplier can push malicious schema to consumers. RCE is not feasible on x86_64 due to ASCII-only overflow content.

Parent CVE: CVE-2025-14905 (fixed schema_attr_enum_callback only). Advisory: 389-ds-campaign-2026-04/001-002-Schema-Heap-Overflow/advisory.md. Source: PSIRTSUPT-7600 (Ian Murphy, Red Hat Product Security).
Note You need to log in before you can comment on or make changes to this bug.