Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-05-20T07:30:00 389-ds-base: 389-ds-base: unbounded LDAP controls count in get_ldapmessage_controls_ext() causes CPU and heap amplification (remote DoS) 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE-770

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

This vulnerability is rated Important for Red Hat products shipping 389-ds-base. A remote, unauthenticated attacker with network access to the LDAP port can send a single crafted LDAP request containing an excessive number of minimal controls, causing the server to perform unbounded memory allocations and consume significant CPU time. Under concurrent attack, this can degrade or deny directory service availability through worker thread starvation or out-of-memory conditions. The vulnerability is mitigated in environments where the LDAP port is not exposed to untrusted networks (firewall/ACL restrictions). Additionally, lowering nsslapd-maxbersize reduces the maximum message size (and thus the upper bound on controls per message), though this does not fully eliminate the amplification since it caps bytes rather than control count. The definitive fix requires enforcing a maximum controls-per-message limit in the decode loop. Red Hat would like to thank Oleh Konko (1seal.org) for reporting this issue. Restrict network access to the LDAP port (389/tcp, 636/tcp) to trusted networks only using firewall rules or network ACLs. This prevents untrusted remote attackers from reaching the vulnerable code path. Optionally, lower the nsslapd-maxbersize configuration parameter to reduce the maximum BER message size accepted by the server. Note that this caps bytes, not the number of controls, and does not fully eliminate the amplification. Setting it too low may impact legitimate LDAP operations with large payloads. Red Hat Directory Server 11 Affected redhat-ds:11/389-ds-base Red Hat Directory Server 12 Affected redhat-ds:12/389-ds-base Red Hat Directory Server 13 Will not fix 389-ds-base Red Hat Enterprise Linux 10 Affected 389-ds-base Red Hat Enterprise Linux 6 Out of support scope 389-ds-base Red Hat Enterprise Linux 7 Affected 389-ds-base Red Hat Enterprise Linux 8 Affected 389-ds:1.4/389-ds-base Red Hat Enterprise Linux 9 Affected 389-ds-base https://www.cve.org/CVERecord?id=CVE-2026-9064 https://nvd.nist.gov/vuln/detail/CVE-2026-9064