CVE-2026-9064

HIGH

Red Hat Directory Server - LDAP Controls Denial of Service

Title source: manual

Description

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

References (2)

Core 2

Core References

Vdb Entry, X_Refsource_Redhat vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-9064

Issue Tracking, X_Refsource_Redhat issue-tracking x_refsource_redhat

RHBZ#2480093

https://bugzilla.redhat.com/show_bug.cgi?id=2480093

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 24.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (8)

Red Hat/Red Hat Directory Server 11

Red Hat/Red Hat Directory Server 12

Red Hat/Red Hat Directory Server 13

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7

Red Hat/Red Hat Enterprise Linux 8

Red Hat/Red Hat Enterprise Linux 9

Published May 20, 2026

Tracked Since May 20, 2026