Password Hash Comparison Vulnerability in 389 Directory Server by Red Hat
CVE-2026-15041
3.7LOW
What is CVE-2026-15041?
A vulnerability exists in the 389 Directory Server where the PBKDF2-SHA256 password verification function utilizes the standard memcmp() method for comparing password hashes. This can lead to potential timing attacks where a remote attacker might deduce partial information about password hashes through timing analysis of LDAP bind attempts. However, practical exploitation is challenging due to the inherent computational overhead of PBKDF2, making the risk of successful attacks relatively low.
References
CVSS V3.1
Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Red Hat would like to thank Andrew Rukin (Arenadata) for reporting this issue.