CVE-2026-9064— 389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)
Possible ATT&CK Techniques 2AI
T1190 · Exploit Public-Facing Application T1499 · Endpoint Denial of ServiceAffected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Directory Server 11 | any | affected |
| Red Hat | Red Hat Directory Server 12 | any | affected |
| Red Hat | Red Hat Directory Server 13 | any | affected |
| Red Hat | Red Hat Enterprise Linux 10 | any | affected |
| Red Hat | Red Hat Enterprise Linux 6 | any | unknown |
| Red Hat | Red Hat Enterprise Linux 7 | any | affected |
| Red Hat | Red Hat Enterprise Linux 8 | any | affected |
| Red Hat | Red Hat Enterprise Linux 9 | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9064
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
389 Directory Server 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
389 Directory Server是389 Directory Server开源的一个高度可用、功能齐全、可靠和安全的LDAP服务器实现。 389 Directory Server存在安全漏洞,该漏洞源于get_ldapmessage_controls_ext函数未对LDAP消息中的控制数量设置上限,可能导致远程未认证攻击者发送特制请求造成拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Directory Server 11 | - | cpe:/a:redhat:directory_server:11 | |
| Red Hat | Red Hat Directory Server 12 | - | cpe:/a:redhat:directory_server:12 | |
| Red Hat | Red Hat Directory Server 13 | - | cpe:/a:redhat:directory_server:13 | |
| Red Hat | Red Hat Enterprise Linux 10 | - | cpe:/o:redhat:enterprise_linux:10 | |
| Red Hat | Red Hat Enterprise Linux 6 | - | cpe:/o:redhat:enterprise_linux:6 | |
| Red Hat | Red Hat Enterprise Linux 7 | - | cpe:/o:redhat:enterprise_linux:7 | |
| Red Hat | Red Hat Enterprise Linux 8 | - | cpe:/o:redhat:enterprise_linux:8 | |
| Red Hat | Red Hat Enterprise Linux 9 | - | cpe:/o:redhat:enterprise_linux:9 |
II. Public POCs for CVE-2026-9064
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9064
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9064 (2)
Same Patch Batch · Red Hat · 2026-05-20 · 4 CVEs total
| CVE-2026-9149 | 6.5 MEDIUM | Libsolv: heap buffer overflow in libsolv repo_add_solv via negative maxsize from crafted . |
| CVE-2026-9150 | 6.5 MEDIUM | Libsolv: stack-based buffer overflow in libsolv's debian metadata parser when handling sha |
| CVE-2026-9087 | 6.4 MEDIUM | Keycloak: cross-session email verification proof not bound to upstream identity in first-b |
IV. Related Vulnerabilities
Same vendor: Red Hat
- CVE-2026-10101
Assisted-service: assisted-service: infraenv status leaks re - CVE-2026-42965
Openshift/router: openshift/router: cloud metadata ssrf via - CVE-2026-46579
Openshift/router: openshift/router: mtls client certificate - CVE-2026-10078
Quay/config-tool: quay/config-tool: gitlab oauth client_secr - CVE-2026-10052
Quay/config-tool: quay/config-tool: ssrf via unfiltered ldap
Same weakness: CWE-770
- CVE-2026-45023
AutoGP: Credit system bypassed via direct block execution in - CVE-2026-45292
opentelemetry-java: Unbounded Memory Allocation in W3C Bagga - CVE-2026-45078
Synapse CPU starvation (Denial of Service) - CVE-2026-48735
pypdf: Manipulated XMP metadata streams can exhaust RAM - CVE-2026-1402
Allocation of Resources Without Limits or Throttling in GitL
V. Comments for CVE-2026-9064
No comments yet