Heap Buffer Overflow Vulnerability in 389 Directory Server by Red Hat
CVE-2026-12528

5.4MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Directory Server 11
Red Hat Directory Server 12
Red Hat Directory Server 13
Red Hat Enterprise Linux 10
Vendor
CVE Published:
17 June 2026

What is CVE-2026-12528?

A vulnerability has been identified in the 389 Directory Server that arises from the __aclp__normalize_acltxt() function in aclparse.c. The issue occurs when a malformed Access Control Instruction (ACI) string is processed, potentially leading to heap buffer overflow issues. This flaw occurs because the function does not correctly validate the ACI keyword length after whitespace is removed, allowing for out-of-bounds writes and reads. An authenticated user with write access can exploit this vulnerability by crafting a malicious ACI value, which may corrupt the memory associated with the directory server process.

References

https://access.redhat.com/security/cve/CVE-2026-12528
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2489835
issue-trackingx_refsource_REDHAT
https://github.com/389ds/389-ds-base/pull/7542

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.