{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-9064/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-9064"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["389-ds-base"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","ldap","CVE-2026-9064"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA denial-of-service vulnerability, tracked as CVE-2026-9064, exists in 389-ds-base. The \u003ccode\u003eget_ldapmessage_controls_ext()\u003c/code\u003e function within the LDAP server component fails to properly enforce an upper bound on the number of controls permitted per LDAP message. This oversight enables a remote, unauthenticated attacker to exploit the vulnerability by sending a specially crafted LDAP request. The malicious request contains an excessive number (hundreds of thousands) of minimal controls, yet remains within the default maximum BER message size limit of 2 MB. Processing this request results in excessive CPU consumption and heap allocation on the server. In scenarios involving concurrent exploitation, the vulnerability leads to significant latency degradation, worker thread starvation, or out-of-memory termination, ultimately resulting in a denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable 389-ds-base LDAP server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious LDAP request. This request includes a large number of LDAP controls, approaching the maximum allowed BER message size (2MB).\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted LDAP request to the target server.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eget_ldapmessage_controls_ext()\u003c/code\u003e function processes the incoming request without properly validating the number of controls.\u003c/li\u003e\n\u003cli\u003eThe server allocates excessive CPU resources to parse and process the large number of controls in the malicious LDAP message.\u003c/li\u003e\n\u003cli\u003eThe server allocates excessive heap memory to store and manage the large number of LDAP controls.\u003c/li\u003e\n\u003cli\u003eUnder concurrent attacks, worker threads become starved due to excessive CPU and memory consumption.\u003c/li\u003e\n\u003cli\u003eThe server experiences latency degradation, and potentially terminates due to out-of-memory conditions, resulting in a denial-of-service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9064 leads to a denial-of-service condition on the targeted 389-ds-base LDAP server. This can result in disruption of services dependent on the LDAP server, impacting user authentication, directory lookups, and other critical functions. The vulnerability can be exploited remotely without authentication, making it easily exploitable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest security patches for 389-ds-base to remediate CVE-2026-9064 as soon as they are available from Red Hat (reference: CVE-2026-9064).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-9064 Exploitation Attempt — Excessive LDAP Controls\u0026rdquo; to detect potentially malicious LDAP traffic attempting to exploit this vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious LDAP requests containing an unusually high number of controls (reference: description of the attack chain and the \u003ccode\u003eget_ldapmessage_controls_ext()\u003c/code\u003e function).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T10:17:45Z","date_published":"2026-05-20T10:17:45Z","id":"https://feed.craftedsignal.io/briefs/2026-05-389-ds-dos/","summary":"CVE-2026-9064 describes a denial-of-service vulnerability in 389-ds-base where an unauthenticated attacker can send a crafted LDAP request with excessive controls, causing excessive CPU consumption and heap allocation, leading to latency degradation, worker thread starvation, or out-of-memory termination.","title":"CVE-2026-9064: 389-ds-base Unauthenticated Remote Denial-of-Service","url":"https://feed.craftedsignal.io/briefs/2026-05-389-ds-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2026-9064","version":"https://jsonfeed.org/version/1.1"}