{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/red-hat-identity-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-11610"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["389 Directory Server (389-ds-base \u003e= 1.3.2)","FreeIPA","Red Hat Identity Management"],"_cs_severities":["critical"],"_cs_tags":["heap-overflow","denial-of-service","ldap","sasl","linux","cve"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA critical heap buffer overflow vulnerability, identified as CVE-2026-11610, has been discovered in the SASL I/O layer of 389 Directory Server (389-ds-base). This flaw allows an authenticated attacker to trigger a denial of service by sending a specially crafted, oversized LDAP UNBIND packet after successfully performing a SASL bind with integrity protection (SSF \u0026gt; 0). The vulnerability stems from a lack of bounds checking when copying the packet into a 512-byte heap receive buffer, permitting an overflow of approximately 2 megabytes of attacker-controlled data, which causes the server to crash. This vulnerability has existed since 389-ds-base version 1.3.2, approximately 2013, making many older deployments susceptible. In FreeIPA and Red Hat Identity Management environments, any domain user with a valid Kerberos ticket, enrolled host, or service account can leverage this over the network after authenticating via GSSAPI, posing a significant threat to critical identity services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access / Authentication\u003c/strong\u003e: An attacker obtains valid credentials or a Kerberos ticket for a domain user, enrolled host, or service account within a FreeIPA or Red Hat Identity Management environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSASL Bind\u003c/strong\u003e: The authenticated attacker successfully performs a SASL bind to the 389 Directory Server, ensuring integrity protection (SSF \u0026gt; 0) is established. This could involve GSSAPI authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Packet\u003c/strong\u003e: The attacker crafts an LDAP UNBIND packet with an intentionally oversized payload.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSend Malicious Packet\u003c/strong\u003e: The attacker sends the specially crafted, oversized LDAP UNBIND packet over the network to the vulnerable 389 Directory Server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHeap Buffer Overflow\u003c/strong\u003e: The \u003ccode\u003esasl_io_recv()\u003c/code\u003e function in \u003ccode\u003esasl_io.c\u003c/code\u003e processes the oversized packet, attempting to copy it into a 512-byte heap receive buffer without performing adequate bounds checks.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMemory Corruption\u003c/strong\u003e: The lack of bounds checking allows approximately 2 megabytes of attacker-controlled data to overflow the small buffer, corrupting adjacent memory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDenial of Service\u003c/strong\u003e: The memory corruption leads to an unhandled exception or critical error, causing the 389 Directory Server process to crash unexpectedly.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eService Interruption\u003c/strong\u003e: The 389 Directory Server becomes unavailable, leading to a denial of service for all dependent services, such as authentication and directory lookups in FreeIPA or Red Hat Identity Management deployments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-11610 results in a critical denial of service, causing the 389 Directory Server to crash and become unavailable. This directly impacts core identity management services, such as those provided by FreeIPA and Red Hat Identity Management deployments. A crashed directory server can disrupt user authentication, application access, and directory lookups across an entire organization, leading to widespread operational paralysis. This vulnerability can be triggered by any authenticated user or service account, making it a significant internal threat vector with a CVSS score of 8.8, indicating high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-11610 on all affected 389 Directory Server instances (specifically 389-ds-base versions \u0026gt;= 1.3.2) immediately to prevent denial of service.\u003c/li\u003e\n\u003cli\u003eMonitor 389 Directory Server system logs for unexpected process terminations or crashes, which could indicate exploitation of CVE-2026-11610 or other issues.\u003c/li\u003e\n\u003cli\u003eImplement robust network segmentation and access controls to limit network exposure of 389 Directory Server instances, reducing the attack surface for authenticated users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-07T10:17:48Z","date_published":"2026-07-07T10:17:48Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-11610-389ds-dos/","summary":"A heap buffer overflow vulnerability (CVE-2026-11610) exists in the SASL I/O layer of 389 Directory Server (389-ds-base), active since version 1.3.2. An authenticated attacker can send a specially crafted, oversized LDAP UNBIND packet after a successful SASL bind with integrity protection. This causes approximately 2 megabytes of attacker-controlled data to overflow a 512-byte heap buffer in sasl_io_recv(), leading to a denial of service (server crash).","title":"CVE-2026-11610: 389 Directory Server SASL Heap Buffer Overflow Leading to DoS","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-11610-389ds-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Red Hat Identity Management","version":"https://jsonfeed.org/version/1.1"}