Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14940

CVE-2026-14940: Redhat Directory Server DOS Vulnerability

CVE-2026-14940 is a heap-buffer-overflow denial of service flaw in Redhat Directory Server that allows remote attackers to corrupt memory and crash the service. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14940 Overview

CVE-2026-14940 is a heap-buffer-overflow vulnerability in 389 Directory Server (389-ds-base), an enterprise Lightweight Directory Access Protocol (LDAP) server maintained by Red Hat. The flaw resides in the Distinguished Name (DN) normalization routine. When the server processes a legacy-quoted value encoding a multivalued nested Relative Distinguished Name (RDN), it writes past the end of a heap allocation while sorting RDN attribute-value pairs. An unauthenticated remote attacker can trigger the condition by sending an LDAP operation with a crafted base DN, such as a search request. Successful exploitation corrupts heap memory and can result in denial of service against the directory service.

Critical Impact

Unauthenticated remote attackers can corrupt heap memory in 389 Directory Server by sending a crafted LDAP request, leading to denial of service of directory authentication infrastructure.

Affected Products

  • Red Hat Directory Server 11.0, 12.0, and 13.0
  • Red Hat 389 Directory Server (389-ds-base)
  • Red Hat Enterprise Linux 7, 8, 9, and 10

Discovery Timeline

  • 2026-07-07 - CVE-2026-14940 published to the National Vulnerability Database (NVD)
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14940

Vulnerability Analysis

The vulnerability is classified as a heap-based buffer overflow ([CWE-122]) in the DN normalization logic of 389-ds-base. LDAP Distinguished Names identify directory entries and can include multivalued RDN components separated by +. The legacy quoted DN syntax permits values wrapped in double quotes that may embed further RDN structure. When the server encounters such a legacy-quoted value that itself encodes a nested multivalued RDN, the normalizer sorts the internal attribute-value pairs and writes into a heap buffer that was not sized to accommodate the parsed content.

Because DN normalization runs before authentication on many LDAP operations, an unauthenticated attacker reaching the LDAP port can invoke the vulnerable path with a single crafted request. The immediate consequence is heap corruption that causes the ns-slapd process to crash, terminating directory services for all clients that depend on it.

Root Cause

The root cause is insufficient bounds calculation when normalizing legacy-quoted DN values containing embedded multivalued RDNs. The parser does not account for the additional attribute-value pairs produced by expanding the quoted content prior to the sort operation, so subsequent writes exceed the allocated heap region.

Attack Vector

The attack vector is the network. An attacker sends any LDAP operation whose DN parameter reaches the normalization routine, such as a search with a crafted base DN. No authentication or user interaction is required. Directory servers exposed to internal networks, partner networks, or the internet are reachable through the standard LDAP (389/tcp) or LDAPS (636/tcp) ports.

No public proof-of-concept exploit code has been published. See the Red Hat CVE-2026-14940 Advisory and Red Hat Bug Report #2497697 for vendor technical details.

Detection Methods for CVE-2026-14940

Indicators of Compromise

  • Unexpected crashes or restarts of the ns-slapd process, with core dumps referencing DN parsing or RDN sort functions
  • LDAP request logs containing base DNs with legacy double-quoted values and embedded + separators indicating multivalued RDNs
  • ASAN or glibc heap corruption messages in /var/log/dirsrv/slapd-<instance>/errors
  • Sudden loss of LDAP bind or search availability from multiple clients within a short interval

Detection Strategies

  • Parse access and errors logs under /var/log/dirsrv/ for malformed DN patterns and correlate with process termination events
  • Deploy network signatures that inspect LDAP searchRequest and bindRequest PDUs for quoted DN values containing nested RDN separators
  • Monitor systemd or service supervisor events for repeated restart cycles of dirsrv@<instance>.service

Monitoring Recommendations

  • Alert on any ns-slapd segmentation fault or abort captured by systemd-coredump or abrt
  • Track LDAP request rates and error responses per source IP to identify anomalous probing of DN parsing paths
  • Ingest directory server logs into a centralized SIEM and build detections for repeated malformed DN parse failures preceding a service crash

How to Mitigate CVE-2026-14940

Immediate Actions Required

  • Apply the 389-ds-base security update from Red Hat as soon as it is available for your Red Hat Enterprise Linux release
  • Restrict network exposure of LDAP and LDAPS ports to trusted management and application networks only
  • Enable process supervision so ns-slapd restarts automatically after a crash to limit denial-of-service duration
  • Review directory server high-availability topology to ensure at least one replica remains reachable during targeted crashes

Patch Information

Red Hat tracks remediation through the Red Hat CVE-2026-14940 Advisory and Red Hat Bug Report #2497697. Administrators should update 389-ds-base and Red Hat Directory Server packages to the fixed versions distributed for RHEL 7, 8, 9, and 10 and for Directory Server 11.0, 12.0, and 13.0 once published. After patching, restart the dirsrv@<instance> service to load the updated binaries.

Workarounds

  • Place the directory server behind an LDAP-aware proxy or firewall that rejects requests containing legacy-quoted DN syntax with embedded multivalued RDNs
  • Limit anonymous LDAP access at the network layer to reduce the pool of potential attackers reaching the DN normalization code
  • Deploy replication with multiple suppliers and consumers so that a crash on one instance does not eliminate directory availability
bash
# Example: restrict LDAP access to trusted management subnet using firewalld
sudo firewall-cmd --permanent --zone=public --remove-service=ldap
sudo firewall-cmd --permanent --zone=public --remove-service=ldaps
sudo firewall-cmd --permanent --new-zone=ldap-trusted
sudo firewall-cmd --permanent --zone=ldap-trusted --add-source=10.0.10.0/24
sudo firewall-cmd --permanent --zone=ldap-trusted --add-service=ldap
sudo firewall-cmd --permanent --zone=ldap-trusted --add-service=ldaps
sudo firewall-cmd --reload

# Verify current 389-ds-base version and apply updates
rpm -q 389-ds-base
sudo dnf update 389-ds-base
sudo systemctl restart dirsrv@<instance>.service

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.