PatchSiren cyber security CVE debrief
CVE-2026-9064 Red Hat CVE debrief
CVE-2026-9064 describes a denial-of-service weakness in the 389-ds-base LDAP server where get_ldapmessage_controls_ext() does not cap the number of controls in a single LDAP message. An unauthenticated remote attacker can send a crafted request with very large numbers of minimal controls within the default BER message size limit, driving excessive CPU use and heap allocation. Under concurrent load, the impact can escalate to latency spikes, worker-thread starvation, or process termination from out-of-memory conditions.
- Vendor
- Red Hat
- Product
- Red Hat Directory Server 11
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
Operators and administrators of 389-ds-base LDAP directory servers, especially services exposed to untrusted networks or shared by multiple tenants. Availability-focused teams should treat this as a server-side denial-of-service risk for authentication, directory lookup, and identity infrastructure.
Technical summary
The issue is a resource-exhaustion flaw (CWE-770) in LDAP message parsing. NVD records the attack vector as network-based, low complexity, no privileges, and no user interaction, with availability impact only (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The reported behavior is that the server accepts LDAP messages containing hundreds of thousands of minimal controls within the default 2 MB BER size limit, causing disproportionate CPU and heap work before request handling completes. The result is denial of service, particularly when multiple requests are sent concurrently.
Defensive priority
High. The issue is remotely reachable, unauthenticated, and availability-impacting. Even without confidentiality or integrity impact, the combination of low attack complexity and possible worker starvation/OOM makes it important for exposed directory services.
Recommended defensive actions
- Follow the Red Hat security advisory for CVE-2026-9064 and apply vendor fixes or mitigations as soon as they are available.
- Reduce exposure of LDAP services to untrusted networks where possible, and restrict access with network controls and segmentation.
- Monitor for unusual spikes in LDAP request rates, CPU consumption, heap usage, and worker-thread saturation.
- Review service limits and resource controls for directory infrastructure so abnormal request patterns fail safely rather than exhausting shared resources.
- Track the associated Red Hat Bugzilla and NVD record for updates, affected-version clarification, and remediation guidance.
Evidence notes
This debrief is based on the supplied NVD record and linked official references. The NVD entry was published on 2026-05-20 and was still marked 'Awaiting Analysis' at the time of the supplied source snapshot. The provided description states that get_ldapmessage_controls_ext() in 389-ds-base does not enforce an upper bound on LDAP controls per message, enabling remote unauthenticated denial of service through CPU and heap exhaustion. NVD also records CWE-770 and CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Red Hat security and Bugzilla links were provided as official references; no affected-version range was supplied in the source corpus.
Official resources
Publicly disclosed in the NVD record on 2026-05-20, with Red Hat security and Bugzilla references included in the official source set. The supplied record indicates the vulnerability was still awaiting analysis in NVD at the time of the 202