CVE-2026-9064

⚠️ high

Summary

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation,

Description

CVSS Score

7.5

High

EPSS Score

0.8

Exploit Probability

Published Date

2026-05-20

First Seen: 2026-05-21

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 68.9% of all 329,456 vulnerabilities in our database.

#102,448

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 20, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

YES

Can be exploited automatically

💥 Technical Impact

Partial

Limited system impact

🏆 Discovered By

Red Hat would like to thank Oleh Konko (1seal.org) for reporting this issue.

SSVC data provided by CISA

Last Modified 2026-06-18

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE IDs (Weakness Types)

CWE-770

📦 Affected Products 9

Vendor	Product	Status	Affected Versions
redhat	directory_server	Affected	v11.0
redhat	directory_server	Affected	v12.0
redhat	directory_server	Affected	v13.0
redhat	enterprise_linux	Affected	v10.0
redhat	enterprise_linux	Affected	v6.0
redhat	enterprise_linux	Affected	v7.0
redhat	enterprise_linux	Affected	v8.0
redhat	enterprise_linux	Affected	v9.0
redhat	389_directory_server	Affected	v-

🔗 References 19

https://access.redhat.com/errata/RHSA-2026:26452

https://access.redhat.com/errata/RHSA-2026:26453

https://access.redhat.com/errata/RHSA-2026:26454

https://access.redhat.com/errata/RHSA-2026:26455

https://access.redhat.com/errata/RHSA-2026:26456

https://access.redhat.com/errata/RHSA-2026:26457

https://access.redhat.com/errata/RHSA-2026:26458

https://access.redhat.com/errata/RHSA-2026:26459

https://access.redhat.com/errata/RHSA-2026:26460

https://access.redhat.com/errata/RHSA-2026:26461

https://access.redhat.com/errata/RHSA-2026:26463

https://access.redhat.com/errata/RHSA-2026:26464

https://access.redhat.com/errata/RHSA-2026:26465

https://access.redhat.com/errata/RHSA-2026:26597

https://access.redhat.com/errata/RHSA-2026:26599

https://access.redhat.com/errata/RHSA-2026:26639

https://access.redhat.com/errata/RHSA-2026:27125

https://access.redhat.com/security/cve/CVE-2026-9064

Mitigation Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2480093

Issue Tracking Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-1764	🔶 medium	5.6	0.2	A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor. When processing specially craf...	2026-06-16
CVE-2026-1766	🔶 medium	5.6	0.2	A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracke...	2026-06-16
CVE-2026-1767	🔶 medium	5.6	0.2	A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` compo...	2026-06-16
CVE-2026-11785	🔶 medium	4.3	0.2	A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial st...	2026-06-09
CVE-2026-11786	ℹ️ low	1.9	0.2	A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute ...	2026-06-09
CVE-2026-11787	🔶 medium	5.0	0.2	A flaw was found in 389 Directory Server. The ldap_utf8prev() function reads bytes before the start of a buffer without ...	2026-06-09

These CVEs affect the same products