<Vulnerability name="CVE-2026-14940">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-07T12:01:00</PublicDate>
    <Bugzilla id="2497697" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497697" xml:lang="en:us">
389-ds-base: 389-ds-base: heap-buffer-overflow in DN normalization via quoted multivalued RDN
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>5.3</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-122</CWE>
    <Details xml:lang="en:us" source="Mitre">
A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When
normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a
multivalued nested Relative Distinguished Name (RDN), the server can write past the
end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated
remote attacker can trigger this condition by sending an LDAP operation whose DN
reaches the DN normalization routine, such as a search with a crafted base DN. This
can corrupt heap memory and may cause denial of service.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A heap-buffer-overflow flaw was found in 389 Directory Server (389-ds-base). When
normalizing a Distinguished Name (DN) that contains a legacy-quoted value encoding a
multivalued nested Relative Distinguished Name (RDN), the server can write past the
end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated
remote attacker can trigger this condition by sending an LDAP operation whose DN
reaches the DN normalization routine, such as a search with a crafted base DN. This
can corrupt heap memory and may cause denial of service.
    </Details>
    <Statement xml:lang="en:us">
Red Hat rates this issue as Moderate impact. In 389-ds-base, DN normalization of a
crafted legacy-quoted multivalued RDN can corrupt heap memory during internal
attribute-value sorting. Any unauthenticated client that can reach the LDAP service
and supply a malformed DN in an operation such as search, bind, add, or modify can
trigger the bug.
In standard production builds, the server often rejects the malformed DN with
"Invalid DN syntax" and continues operating; the heap corruption may be silent rather
than immediately terminating ns-slapd. Denial of service is more reliably observed
when heap debugging is enabled (for example AddressSanitizer or MALLOC_CHECK_=3),
or depending on heap layout and subsequent memory allocator activity. For this
reason Red Hat rates availability impact as Low (A:L) rather than High.
There is no configuration switch to disable DN normalization for client-supplied DNs.
The vulnerable code path is present in all currently supported 389-ds-base versions
that ship the quoted-RDN parsing logic in dn.c.
    </Statement>
    <Acknowledgement xml:lang="en:us">
Red Hat would like to thank Denis Rastyogin (ALT Linux) for reporting this issue.
    </Acknowledgement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:directory_server:11">
        <ProductName>Red Hat Directory Server 11</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>redhat-ds:11/389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:directory_server:12">
        <ProductName>Red Hat Directory Server 12</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>redhat-ds:12/389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:directory_server:13">
        <ProductName>Red Hat Directory Server 13</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Out of support scope</FixState>
        <PackageName>389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>389-ds:1.4/389-ds-base</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Fix deferred</FixState>
        <PackageName>389-ds-base</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14940
https://nvd.nist.gov/vuln/detail/CVE-2026-14940
    </References>
</Vulnerability>