PatchSiren cyber security CVE debrief
CVE-2026-11610 Red Hat CVE debrief
A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). Users of 389 Directory Server, particularly those with deployments in FreeIPA and Red Hat Identity Management, should be aware of this vulnerability. Any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI.
- Vendor
- Red Hat
- Product
- Red Hat Directory Server 11
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-07
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-07
- Advisory updated
- 2026-07-07
Who should care
Users of 389 Directory Server, particularly those with deployments in FreeIPA and Red Hat Identity Management, should be aware of this vulnerability. Any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. Operators of affected systems should prioritize patching and review compensating controls.
Technical summary
The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only. The vulnerability has a CVSS score of 8.8 and is considered HIGH severity. This heap buffer overflow flaw in the SASL I/O layer of 389 Directory Server (389-ds-base) can be triggered after a successful SASL bind with integrity protection (SSF > 0). An authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash).
Defensive priority
High priority should be given to patching this vulnerability, especially in deployments where authentication via GSSAPI is used. Review and implement compensating controls such as monitoring for suspicious network activity, restrict access to the affected system, and consider alternative authentication methods.
Recommended defensive actions
- Apply the vendor patch as soon as available
- Implement compensating controls such as monitoring for suspicious network activity
- Restrict access to the affected system to only necessary personnel
- Consider using alternative authentication methods
- Inventory and audit affected systems for potential exposure
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-07T10:16:39.690Z and has not been modified since then. The NVD entry is currently in the 'Received' status. This information is based on the supplied source corpus and may not reflect the full scope of affected systems or potential impacts. Further verification is recommended to assess exposure and prioritize defensive actions.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-07T10:16:39.690Z and has not been modified since then. The NVD entry is currently in the 'Received' status.