A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00815.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Red Hat Red Hat Directory Server 11.5 E4S for RHEL 8 affected
Version Status Constraints
8060020260609102432.0ca98e7e unaffected < *
Red Hat Red Hat Directory Server 11.7 E4S for RHEL 8 affected
Version Status Constraints
8080020260610130252.f969626e unaffected < *
Red Hat Red Hat Directory Server 11.9 for RHEL 8 affected
Version Status Constraints
8100020260601104139.37ed7c03 unaffected < *
Red Hat Red Hat Directory Server 12.2 E4S for RHEL 9 affected
Version Status Constraints
9020020260615123354.1674d574 unaffected < *
Red Hat Red Hat Directory Server 12.4 E4S for RHEL 9 affected
Version Status Constraints
9040020260611130021.1674d574 unaffected < *
Red Hat Red Hat Enterprise Linux 10 affected
Version Status Constraints
0:3.2.0-7.el10_2 unaffected < *
Red Hat Red Hat Enterprise Linux 10.0 Extended Update Support affected
Version Status Constraints
0:3.0.6-18.el10_0 unaffected < *
Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support affected
Version Status Constraints
0:1.3.11.1-12.el7_9 unaffected < *
Red Hat Red Hat Enterprise Linux 8 affected
Version Status Constraints
8100020260601102239.25e700aa unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support affected
Version Status Constraints
8040020260609102422.96015a92 unaffected < *
Red Hat Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On affected
Version Status Constraints
8040020260609102422.96015a92 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support affected
Version Status Constraints
8060020260609102416.824efc52 unaffected < *
Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support Long-Life Add-On affected
Version Status Constraints
8060020260609102416.824efc52 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service affected
Version Status Constraints
8080020260610125847.6dbb3803 unaffected < *
Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions affected
Version Status Constraints
8080020260610125847.6dbb3803 unaffected < *
Red Hat Red Hat Enterprise Linux 9 affected
Version Status Constraints
0:2.8.0-7.el9_8 unaffected < *
Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions affected
Version Status Constraints
0:2.2.4-18.el9_2 unaffected < *
Red Hat Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions affected
Version Status Constraints
0:2.4.5-25.el9_4 unaffected < *
Red Hat Red Hat Enterprise Linux 9.6 Extended Update Support affected
Version Status Constraints
0:2.6.1-21.el9_6 unaffected < *
Red Hat Red Hat Directory Server 13.2 affected
Version Status Constraints
1781714123 unaffected < *
Red Hat Red Hat Directory Server 12 affected
Red Hat Red Hat Directory Server 13 affected
Red Hat Red Hat Enterprise Linux 6 unknown

Configuration 1 [-]

OR cpe:2.3:a:redhat:directory_server:11.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:directory_server:12.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:directory_server:13.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:389_directory_server:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Redhat Subscribe
Enterprise Linux Subscribe
Redhat Directory Server Subscribe

Project Subscriptions

Vendors Products
Redhat Subscribe
389 Directory Server Subscribe
Directory Server Subscribe
Directory Server E4s Subscribe
Enterprise Linux Subscribe
Enterprise Linux Eus Subscribe
Redhat Directory Server Subscribe
Rhel Aus Subscribe
Rhel E4s Subscribe
Rhel Els Subscribe
Rhel Eus Subscribe
Rhel Eus Long Life Subscribe
Rhel Tus Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

Restrict network access to the LDAP port (389/tcp, 636/tcp) to trusted networks only using firewall rules or network ACLs. This prevents untrusted remote attackers from reaching the vulnerable code path. Optionally, lower the nsslapd-maxbersize configuration parameter to reduce the maximum BER message size accepted by the server. Note that this caps bytes, not the number of controls, and does not fully eliminate the amplification. Setting it too low may impact legitimate LDAP operations with large payloads.

References
Link Providers
https://access.redhat.com/errata/RHSA-2026:26452 cve-icon
https://access.redhat.com/errata/RHSA-2026:26453 cve-icon
https://access.redhat.com/errata/RHSA-2026:26454 cve-icon
https://access.redhat.com/errata/RHSA-2026:26455 cve-icon
https://access.redhat.com/errata/RHSA-2026:26456 cve-icon
https://access.redhat.com/errata/RHSA-2026:26457 cve-icon
https://access.redhat.com/errata/RHSA-2026:26458 cve-icon
https://access.redhat.com/errata/RHSA-2026:26459 cve-icon
https://access.redhat.com/errata/RHSA-2026:26460 cve-icon
https://access.redhat.com/errata/RHSA-2026:26461 cve-icon
https://access.redhat.com/errata/RHSA-2026:26463 cve-icon
https://access.redhat.com/errata/RHSA-2026:26464 cve-icon
https://access.redhat.com/errata/RHSA-2026:26465 cve-icon
https://access.redhat.com/errata/RHSA-2026:26597 cve-icon
https://access.redhat.com/errata/RHSA-2026:26599 cve-icon
https://access.redhat.com/errata/RHSA-2026:26639 cve-icon
https://access.redhat.com/errata/RHSA-2026:27125 cve-icon
https://access.redhat.com/security/cve/CVE-2026-9064 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2480093 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-9064 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-9064 cve-icon
History

Thu, 18 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:directory_server:13.2::el10
References

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:directory_server_e4s:11.7::el8
cpe:/a:redhat:directory_server_e4s:12.2::el9
cpe:/a:redhat:directory_server_e4s:12.4::el9
References

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat directory Server E4s
Redhat enterprise Linux Eus
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Eus Long Life
Redhat rhel Tus
CPEs cpe:/a:redhat:directory_server:11
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9		 cpe:/a:redhat:directory_server:11.9::el8
cpe:/a:redhat:directory_server_e4s:11.5::el8
cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_e4s:9.4::appstream
cpe:/a:redhat:rhel_eus:9.6::appstream
cpe:/a:redhat:rhel_eus:9.6::crb
cpe:/a:redhat:rhel_eus_long_life:8.4::appstream
cpe:/a:redhat:rhel_eus_long_life:8.6::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
cpe:/o:redhat:enterprise_linux:10.2
cpe:/o:redhat:enterprise_linux_eus:10.0
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat directory Server E4s
Redhat enterprise Linux Eus
Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Els
Redhat rhel Eus
Redhat rhel Eus Long Life
Redhat rhel Tus
References

Tue, 02 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat 389 Directory Server
CPEs cpe:2.3:a:redhat:directory_server:11.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:directory_server:12.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:directory_server:13.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:389_directory_server:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Vendors & Products Redhat 389 Directory Server

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat redhat Directory Server
Vendors & Products Redhat redhat Directory Server

Wed, 20 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 20 May 2026 10:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.
Title 389-ds-base: 389-ds-base: unbounded ldap controls count in get_ldapmessage_controls_ext() causes cpu and heap amplification (remote dos)
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-770
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-18T19:46:42.276Z

Reserved: 2026-05-20T08:19:21.037Z

Link: CVE-2026-9064

cve-icon Vulnrichment

Updated: 2026-05-20T13:40:44.035Z

cve-icon NVD

Status : Modified

Published: 2026-05-20T10:16:28.940

Modified: 2026-06-17T20:17:30.617

Link: CVE-2026-9064

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-20T07:30:00Z

Links: CVE-2026-9064 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T08:19:26Z

Weaknesses