Home

Description

An integer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). In sasl_io_start_packet(), adding sizeof(uint32_t) to a crafted SASL packet length prefix of 0xFFFFFFFC causes unsigned wraparound to zero, bypassing the nsslapd-maxsasliosize limit and leading to a heap buffer overflow of up to approximately 2 megabytes of attacker-controlled data. After a successful SASL bind with integrity protection (SSF > 0), a remote attacker can cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, enrolled host, or service account can trigger this vulnerability over the network. This flaw is independent of CVE-2025-14905, which patched schema.c only and did not modify sasl_io.c.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-11 | Updated 2026-06-12 | Assigner redhat




HIGH: 7.6CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Problem types

Integer Overflow or Wraparound

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-04-16:Reported to Red Hat.
2026-06-04:Made public.

References

access.redhat.com/security/cve/CVE-2026-11774 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2484916 (RHBZ#2484916) issue-tracking

redhat.atlassian.net/browse/PSIRTSUPT-7600

cve.org (CVE-2026-11774)

nvd.nist.gov (CVE-2026-11774)

Download JSON