CVE-2026-11791 - Vulnerability Details

- 389-ds-base: 389-ds-base: use-after-free in schema reload via attr_syntax_swap_ht()

Description

A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).

Published: 2026-06-18

Score: 5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Directory Server 11	affected	—
Red Hat	Red Hat Directory Server 12	affected	—
Red Hat	Red Hat Directory Server 13	affected	—
Red Hat	Red Hat Enterprise Linux 10	affected	—
Red Hat	Red Hat Enterprise Linux 6	unaffected	—
Red Hat	Red Hat Enterprise Linux 7	affected	—
Red Hat	Red Hat Enterprise Linux 8	affected	—
Red Hat	Red Hat Enterprise Linux 9	affected	—

No data.

Vendor Product Confidence Versions

Redhat

Directory Server

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Redhat

Enterprise Linux

100%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Schedule schema reload operations during maintenance windows with reduced LDAP traffic. Minimize schema reload frequency; in replication topologies schema changes propagate automatically. Monitor for unexpected ns-slapd restarts during or immediately after schema reloads. Restrict write access to cn=schema,cn=config to dedicated administrative accounts via LDAP ACIs.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0025.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-11791
https://bugzilla.redhat.com/show_bug.cgi?id=2485414

History

Tue, 30 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
References	https://redhat.atlassian.net/browse/PSIRTSUPT-7600

Thu, 18 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
Title		389-ds-base: 389-ds-base: use-after-free in schema reload via attr_syntax_swap_ht()
First Time appeared		Redhat Redhat directory Server Redhat enterprise Linux
Weaknesses		CWE-416
CPEs		cpe:/a:redhat:directory_server:11 cpe:/a:redhat:directory_server:12 cpe:/a:redhat:directory_server:13 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat directory Server Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2026-11791 https://bugzilla.redhat.com/show_bug.cgi?id=2485414 https://redhat.atlassian.net/browse/PSIRTSUPT-7600
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H'}`

Subscriptions

Redhat Directory Server Enterprise Linux

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-06-18T14:44:32.350Z

Updated: 2026-06-30T10:38:05.193Z

Reserved: 2026-06-09T13:01:16.818Z

Link: CVE-2026-11791

Vulnrichment

Updated: 2026-06-18T15:24:15.461Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T20:42:00Z

Weaknesses

CWE-416

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object