Denial of Service Vulnerability in 389-ds-base LDAP Server by Red Hat
CVE-2026-9064

7.5HIGH

Key Information:

Vendor: Red Hat
Status: Red Hat Directory Server 11; Red Hat Directory Server 12; Red Hat Directory Server 13; Red Hat Enterprise Linux 10
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9064?

A flaw exists in the 389-ds-base LDAP server with the get_ldapmessage_controls_ext() function that allows a remote, unauthenticated attacker to exploit the server. By sending a crafted LDAP request containing excessive controls, an attacker can consume significant CPU resources and trigger heap allocation issues. This exploitation could lead to severe latency, worker thread starvation, or out-of-memory conditions, ultimately resulting in a denial of service that impacts the availability and performance of the LDAP server.

References

https://access.redhat.com/security/cve/CVE-2026-9064

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2480093

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

Credit

Red Hat would like to thank Oleh Konko (1seal.org) for reporting this issue.

CVE-2026-9064 Data

JSON