Home

Description

A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.

PUBLISHED Reserved 2026-07-07 | Published 2026-07-07 | Updated 2026-07-07 | Assigner redhat




MEDIUM: 4.4CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Problem types

Generation of Predictable IV with CBC Mode

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
unknown

Default status
affected

Default status
affected

Default status
affected

Timeline

2026-07-07:Reported to Red Hat.
2026-07-07:Made public.

Credits

Red Hat would like to thank Andrew Rukin (Arenadata) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-14969 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2497735 (RHBZ#2497735) issue-tracking

cve.org (CVE-2026-14969)

nvd.nist.gov (CVE-2026-14969)

Download JSON