CVE-2026-9064: 389-ds-base Unauthenticated Remote Denial-of-Service

A denial-of-service vulnerability, tracked as CVE-2026-9064, exists in 389-ds-base. The get_ldapmessage_controls_ext() function within the LDAP server component fails to properly enforce an upper bound on the number of controls permitted per LDAP message. This oversight enables a remote, unauthenticated attacker to exploit the vulnerability by sending a specially crafted LDAP request. The malicious request contains an excessive number (hundreds of thousands) of minimal controls, yet remains within the default maximum BER message size limit of 2 MB. Processing this request results in excessive CPU consumption and heap allocation on the server. In scenarios involving concurrent exploitation, the vulnerability leads to significant latency degradation, worker thread starvation, or out-of-memory termination, ultimately resulting in a denial of service.

Attack Chain

1. The attacker identifies a vulnerable 389-ds-base LDAP server.
2. The attacker crafts a malicious LDAP request. This request includes a large number of LDAP controls, approaching the maximum allowed BER message size (2MB).
3. The attacker sends the crafted LDAP request to the target server.
4. The get_ldapmessage_controls_ext() function processes the incoming request without properly validating the number of controls.
5. The server allocates excessive CPU resources to parse and process the large number of controls in the malicious LDAP message.
6. The server allocates excessive heap memory to store and manage the large number of LDAP controls.
7. Under concurrent attacks, worker threads become starved due to excessive CPU and memory consumption.
8. The server experiences latency degradation, and potentially terminates due to out-of-memory conditions, resulting in a denial-of-service.

Impact

Successful exploitation of CVE-2026-9064 leads to a denial-of-service condition on the targeted 389-ds-base LDAP server. This can result in disruption of services dependent on the LDAP server, impacting user authentication, directory lookups, and other critical functions. The vulnerability can be exploited remotely without authentication, making it easily exploitable.

Recommendation

• Apply the latest security patches for 389-ds-base to remediate CVE-2026-9064 as soon as they are available from Red Hat (reference: CVE-2026-9064).
• Deploy the Sigma rule “Detect CVE-2026-9064 Exploitation Attempt — Excessive LDAP Controls” to detect potentially malicious LDAP traffic attempting to exploit this vulnerability.
• Monitor network traffic for suspicious LDAP requests containing an unusually high number of controls (reference: description of the attack chain and the get_ldapmessage_controls_ext() function).