CVE-2026-11791 Red Hat CVE debrief

Who should care

System administrators and security teams managing 389 Directory Server instances should be aware of this vulnerability. Those with environments using 389 Directory Server for LDAP services may need to take action to protect against potential denial-of-service attacks.

Technical summary

The CVE-2026-11791 vulnerability is caused by a flaw in the attr_syntax_swap_ht() function of 389 Directory Server. During schema reload, this function unconditionally frees attribute syntax information nodes without following the refcount-based deferred deletion process used elsewhere in the attribute syntax subsystem. This oversight can lead to use-after-free or double-free errors when worker threads access the freed memory during concurrent LDAP query traffic, resulting in a denial-of-service condition that crashes the server.

Defensive priority

Medium

Recommended defensive actions

• Apply the security patch or update provided by the vendor as soon as possible.
• Restrict schema reload operations to maintenance windows with minimal LDAP query traffic.
• Monitor server logs and performance closely during schema reload operations.
• Implement additional monitoring to detect potential exploitation attempts.
• Review and update incident response plans to include procedures for handling potential denial-of-service attacks.
• Consider temporarily disabling schema reload functionality if immediate patching is not feasible.
• Engage with the vendor or relevant security community for additional guidance and support.

Evidence notes

The information provided is based on data from official sources, including CVE.org and the National Vulnerability Database (NVD). The CVE record and NVD details were accessed on June 18, 2026. Additional references include Red Hat security advisories and bug reports, which may provide further context and mitigation strategies.

Official resources