CVE-2026-11774— 389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1203 · Exploitation for Client ExecutionAffected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Directory Server 11 | any | affected |
| Red Hat | Red Hat Directory Server 12 | any | affected |
| Red Hat | Red Hat Directory Server 13 | any | affected |
| Red Hat | Red Hat Enterprise Linux 10 | any | affected |
| Red Hat | Red Hat Enterprise Linux 6 | any | unaffected |
| Red Hat | Red Hat Enterprise Linux 7 | any | affected |
| Red Hat | Red Hat Enterprise Linux 8 | any | affected |
| Red Hat | Red Hat Enterprise Linux 9 | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-11774
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow
Source: NVD (National Vulnerability Database)
Vulnerability Description
An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
整数溢出或超界折返
Source: NVD (National Vulnerability Database)
Vulnerability Title
389 Directory Server 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
389 Directory Server是389 Directory Server开源的一个高度可用、功能齐全、可靠和安全的LDAP服务器实现。 389 Directory Server存在输入验证错误漏洞,该漏洞源于SASL I/O层整数溢出,在sasl_io_start_packet()中,将sizeof(uint32_t)添加到特制SASL数据包长度前缀0xFFFFFFFC导致无符号环绕为零,绕过nsslapd-maxsasliosize限制,导致堆缓冲区溢出,攻击者可控制约2兆字节数据,可能导致拒
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Directory Server 11 | - | cpe:/a:redhat:directory_server:11 | |
| Red Hat | Red Hat Directory Server 12 | - | cpe:/a:redhat:directory_server:12 | |
| Red Hat | Red Hat Directory Server 13 | - | cpe:/a:redhat:directory_server:13 | |
| Red Hat | Red Hat Enterprise Linux 10 | - | cpe:/o:redhat:enterprise_linux:10 | |
| Red Hat | Red Hat Enterprise Linux 6 | - | cpe:/o:redhat:enterprise_linux:6 | |
| Red Hat | Red Hat Enterprise Linux 7 | - | cpe:/o:redhat:enterprise_linux:7 | |
| Red Hat | Red Hat Enterprise Linux 8 | - | cpe:/o:redhat:enterprise_linux:8 | |
| Red Hat | Red Hat Enterprise Linux 9 | - | cpe:/o:redhat:enterprise_linux:9 |
II. Public POCs for CVE-2026-11774
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-11774
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-11774 (3)
Same Patch Batch · Red Hat · 2026-06-11 · 5 CVEs total
| CVE-2026-53701 | 6.5 MEDIUM | Gstreamer1-plugins-bad-free: gstreamer: out-of-bounds write in h.266/vvc pps picture parti |
| CVE-2026-53702 | 6.5 MEDIUM | Gstreamer1-plugins-bad-free: gstreamer: stack buffer overflow in h.265 buffering period se |
| CVE-2026-11850 | 5.0 MEDIUM | Krb5: krb5: integer underflow in berval2tl_data() leads to heap out-of-bounds read |
| CVE-2026-11986 | 4.9 MEDIUM | Keycloak-rest-admin-ui-ext: authorization bypass vulnerability in the admin-ui-ext bulk ro |
IV. Related Vulnerabilities
Same product: Red Hat Directory Server 11
- CVE-2026-11791
389-ds-base: 389-ds-base: use-after-free in schema reload vi - CVE-2026-12528
389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__n - CVE-2026-11884
389-ds-base: 389-ds-base: heap buffer overflow in schema obj - CVE-2026-11792
389-ds-base: 389-ds-base: heap buffer overflow in audit log - CVE-2026-11793
389-ds-base: 389-ds-base: stack buffer overflow in checkpref
Same vendor: Red Hat
- CVE-2026-12726
Awx: automation-controller: awx: github webhook second-order - CVE-2026-56211
Libaom: libaom: remote code execution via svc layer context - CVE-2026-56210
Libaom: libaom: heap-buffer-overflow read via missing bounds - CVE-2026-56209
Libaom: libaom: arbitrary address write via svc layer contex - CVE-2026-56208
Libaom: libaom: heap buffer overflow in av1 encoder first-pa
Same weakness: CWE-190
- CVE-2026-49346
libde265 has a heap buffer overflow in de265_image_get_buffe - CVE-2026-3196
Qemu-kvm: virtio-snd: integer overflow leading to unbounded - CVE-2026-8805
Denial-of-service (DoS) vulnerability in MELSEC iQ-F Series - CVE-2026-44663
OpenEXR: Integer overflow in the HTJ2K decoder leads to heap - CVE-2026-55203
HAProxy - Integer Overflow in FCGI Demux Record Length Field
V. Comments for CVE-2026-11774
No comments yet