RHSA-2026:27125

Vulnerability from csaf_redhat - Published: 2026-06-18 16:23 - Updated: 2026-06-18 20:02
Summary
Red Hat Security Advisory: Red Hat Directory Server 13.2 container image update
Severity
Important
Notes
Topic: An updated Red Hat Directory Server 13.2 container image for RHEL 10 is now available in the Red Hat container registry, including bug fixes and security patches.
Details: Red Hat Directory Server is an LDAPv3-compliant directory server. The image is maintained by Red Hat and updated regularly. To pull this container image, run the following command: podman pull registry.redhat.io/dirsrv/dirsrv-container-rhel10:13.2
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-9064

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-770 - Allocation of Resources Without Limits or Throttling
Affected products
Product Identifier Version Remediation
Unresolved product id: Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64
Vendor Fix fix
Workaround
Threats
Impact Important
References
Acknowledgments
1seal.org Oleh Konko
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An updated Red Hat Directory Server 13.2 container image for RHEL 10 is now available in the Red Hat container registry, including bug fixes and security patches.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Directory Server is an LDAPv3-compliant directory server. The image is maintained by Red Hat and updated regularly.\nTo pull this container image, run the following command: podman pull registry.redhat.io/dirsrv/dirsrv-container-rhel10:13.2",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:27125",
        "url": "https://access.redhat.com/errata/RHSA-2026:27125"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/cve/CVE-2026-9064",
        "url": "https://access.redhat.com/security/cve/CVE-2026-9064"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/",
        "url": "https://access.redhat.com/security/updates/classification/"
      },
      {
        "category": "external",
        "summary": "https://catalog.redhat.com/software/containers/search",
        "url": "https://catalog.redhat.com/software/containers/search"
      },
      {
        "category": "external",
        "summary": "https://docs.redhat.com/en/documentation/red_hat_directory_server/13/html/red_hat_directory_server_13_release_notes/index",
        "url": "https://docs.redhat.com/en/documentation/red_hat_directory_server/13/html/red_hat_directory_server_13_release_notes/index"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_27125.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat Directory Server 13.2 container image update",
    "tracking": {
      "current_release_date": "2026-06-18T20:02:10+00:00",
      "generator": {
        "date": "2026-06-18T20:02:10+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "5.0.0"
        }
      },
      "id": "RHSA-2026:27125",
      "initial_release_date": "2026-06-18T16:23:30+00:00",
      "revision_history": [
        {
          "date": "2026-06-18T16:23:30+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-06-18T16:23:40+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-06-18T20:02:10+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Directory Server 13.2",
                "product": {
                  "name": "Red Hat Directory Server 13.2",
                  "product_id": "Red Hat Directory Server 13.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:directory_server:13.2::el10"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Directory Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64",
                "product": {
                  "name": "registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64",
                  "product_id": "registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/dirsrv-container-rhel10@sha256%3A51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467?arch=amd64\u0026repository_url=registry.redhat.io/dirsrv/dirsrv-container-rhel10\u0026tag=1781714123"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64 as a component of Red Hat Directory Server 13.2",
          "product_id": "Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64"
        },
        "product_reference": "registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64",
        "relates_to_product_reference": "Red Hat Directory Server 13.2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Oleh Konko"
          ],
          "organization": "1seal.org"
        }
      ],
      "cve": "CVE-2026-9064",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2026-03-05T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2480093"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS)",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This vulnerability is rated Important for Red Hat products shipping 389-ds-base. A remote, unauthenticated attacker with network access to the LDAP port can send a single crafted LDAP request containing an excessive number of minimal controls, causing the server to perform unbounded memory allocations and consume significant CPU time. Under concurrent attack, this can degrade or deny directory service availability through worker thread starvation or out-of-memory conditions.\n\nThe vulnerability is mitigated in environments where the LDAP port is not exposed to untrusted networks (firewall/ACL restrictions). Additionally, lowering nsslapd-maxbersize reduces the maximum message size (and thus the upper bound on controls per message), though this does not fully eliminate the amplification since it caps bytes rather than control count. The definitive fix requires enforcing a maximum controls-per-message limit in the decode loop.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-9064"
        },
        {
          "category": "external",
          "summary": "RHBZ#2480093",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480093"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-9064",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-9064"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9064",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9064"
        }
      ],
      "release_date": "2026-05-20T07:30:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-06-18T16:23:30+00:00",
          "details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command. For more information about the image, search the \u003cimage_name\u003e in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search",
          "product_ids": [
            "Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:27125"
        },
        {
          "category": "workaround",
          "details": "Restrict network access to the LDAP port (389/tcp, 636/tcp) to trusted networks only using firewall rules or network ACLs. This prevents untrusted remote attackers from reaching the vulnerable code path.\n\nOptionally, lower the nsslapd-maxbersize configuration parameter to reduce the maximum BER message size accepted by the server. Note that this caps bytes, not the number of controls, and does not fully eliminate the amplification. Setting it too low may impact legitimate LDAP operations with large payloads.",
          "product_ids": [
            "Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Directory Server 13.2:registry.redhat.io/dirsrv/dirsrv-container-rhel10@sha256:51f5e2a7accfc7a5346d3915c1e6574438bf788926030c43d92483b41ff4c467_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS)"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.