CVE-2026-11786
389-ds-base: 389-ds-base: heap out-of-bounds read in ldif parser str2entry_state_information_from_type()
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 1.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
09 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in 389 Directory Server. The LDIF parser reads past the end of a heap buffer when processing attribute types with trailing semicolons during database import, causing an out-of-bounds read detectable under memory instrumentation.
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N
Affected products
Red Hat · Red Hat Directory Server 11Red Hat · Red Hat Directory Server 12Red Hat · Red Hat Directory Server 13Red Hat · Red Hat Enterprise Linux 10Red Hat · Red Hat Enterprise Linux 6Red Hat · Red Hat Enterprise Linux 7Red Hat · Red Hat Enterprise Linux 8Red Hat · Red Hat Enterprise Linux 9