Password Hash Comparison Vulnerability in 389 Directory Server by Red Hat
CVE-2026-15041

3.7LOW

What is CVE-2026-15041?

A vulnerability exists in the 389 Directory Server where the PBKDF2-SHA256 password verification function utilizes the standard memcmp() method for comparing password hashes. This can lead to potential timing attacks where a remote attacker might deduce partial information about password hashes through timing analysis of LDAP bind attempts. However, practical exploitation is challenging due to the inherent computational overhead of PBKDF2, making the risk of successful attacks relatively low.

References

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Andrew Rukin (Arenadata) for reporting this issue.
.