A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Project Subscriptions
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
If possible, configure 389 Directory Server to use an alternative password storage scheme (e.g., SSHA512 or GOST-Yescrypt) which uses constant-time comparison.
References
History
Wed, 08 Jul 2026 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Wed, 08 Jul 2026 11:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead. | |
| Title | 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification | |
| First Time appeared |
Redhat
Redhat directory Server Redhat enterprise Linux |
|
| Weaknesses | CWE-208 | |
| CPEs | cpe:/a:redhat:directory_server:11 cpe:/a:redhat:directory_server:12 cpe:/a:redhat:directory_server:13 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9 |
|
| Vendors & Products |
Redhat
Redhat directory Server Redhat enterprise Linux |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2026-07-08T11:06:57.873Z
Reserved: 2026-07-08T10:00:02.126Z
Link: CVE-2026-15041
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses