An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
History

Wed, 08 Jul 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
Vendors & Products Redhat rhel Eus
References

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux Eus
CPEs cpe:/a:redhat:directory_server_e4s:12.2::el9
cpe:/o:redhat:enterprise_linux_eus:10.0
Vendors & Products Redhat enterprise Linux Eus
References

Wed, 08 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:directory_server:13.2::el10
References

Wed, 08 Jul 2026 07:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.2::appstream
References

Tue, 07 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:directory_server:11
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:9
cpe:/a:redhat:directory_server:11.9::el8
cpe:/a:redhat:directory_server_e4s:12.4::el9
cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/o:redhat:enterprise_linux:10.2
References

Tue, 07 Jul 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Els
Redhat rhel Eus Long Life
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Aus
Redhat rhel Els
Redhat rhel Eus Long Life
References

Tue, 07 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat directory Server E4s
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:directory_server_e4s:11.5::el8
cpe:/a:redhat:directory_server_e4s:11.7::el8
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:9.4::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
Vendors & Products Redhat directory Server E4s
Redhat rhel E4s
Redhat rhel Tus
References

Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Fri, 12 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 12 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.
Title 389-ds-base: 389-ds-base: integer overflow in sasl packet length bypasses size limit leading to heap buffer overflow
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-190
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-11T17:54:34.539Z

Updated: 2026-07-09T12:10:05.356Z

Reserved: 2026-06-09T11:57:25.581Z

Link: CVE-2026-11774

cve-icon Vulnrichment

Updated: 2026-07-08T12:05:35.880Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T19:16:37.853

Modified: 2026-06-11T20:56:29.653

Link: CVE-2026-11774

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-04T21:00:00Z

Links: CVE-2026-11774 - Bugzilla