Home

Description

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-09 | Updated 2026-06-09 | Assigner redhat




MEDIUM: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Problem types

Integer Underflow (Wrap or Wraparound)

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unknown

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-04-16:Reported to Red Hat.
2026-04-16:Made public.

References

access.redhat.com/security/cve/CVE-2026-11789 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2485422 (RHBZ#2485422) issue-tracking

redhat.atlassian.net/browse/PSIRTSUPT-7600

cve.org (CVE-2026-11789)

nvd.nist.gov (CVE-2026-11789)

Download JSON