CVE-2026-9064 Overview
CVE-2026-9064 is a denial of service vulnerability in the 389-ds-base LDAP server. The get_ldapmessage_controls_ext() function does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a crafted LDAP request containing hundreds of thousands of minimal controls within the default 2 MB BER message size. The server consumes excessive CPU cycles and heap memory while parsing the request. Under concurrent exploitation, the directory server experiences latency degradation, worker thread starvation, or out-of-memory termination. The flaw is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling].
Critical Impact
Unauthenticated remote attackers can exhaust CPU and memory on the LDAP server, taking directory services offline and disrupting authentication for dependent applications.
Affected Products
- 389-ds-base (Red Hat Directory Server upstream project)
- Red Hat Directory Server distributions consuming 389-ds-base
- Fedora and downstream packages bundling vulnerable get_ldapmessage_controls_ext() code
Discovery Timeline
- 2026-05-20 - CVE-2026-9064 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9064
Vulnerability Analysis
The vulnerability resides in the LDAP message parsing path of 389-ds-base. When the server receives an LDAP request, the get_ldapmessage_controls_ext() function iterates through controls attached to the message and allocates heap memory for each control structure. The function does not cap the number of controls processed per message.
LDAP controls are small BER-encoded structures. Within the default 2 MB maximum message size, an attacker can pack several hundred thousand minimal controls. Parsing each control triggers heap allocation and CPU work. The asymmetry between attacker cost (one 2 MB message) and server cost (hundreds of thousands of allocations) creates an amplification primitive suitable for resource exhaustion attacks.
Root Cause
The root cause is a missing input validation check on a counted resource. 389-ds-base trusts the control list length declared in the LDAP request and processes every entry until end-of-message. No quota, no throttle, and no early rejection guards the loop. This pattern matches [CWE-770], where untrusted input drives unbounded allocation.
Attack Vector
An unauthenticated attacker with network reachability to the LDAP listener constructs a single LDAP request packed with minimal controls. Repeated or concurrent submission of these requests forces the server to dedicate worker threads to parsing. CPU saturation, sustained heap growth, and eventual out-of-memory kills follow. No authentication, user interaction, or special privileges are required.
No verified public proof-of-concept code is available at the time of writing. See the Red Hat CVE-2026-9064 Advisory and the Red Hat Bug #2480093 Report for vendor-confirmed technical details.
Detection Methods for CVE-2026-9064
Indicators of Compromise
- LDAP requests approaching the 2 MB BER message ceiling originating from a single source or small set of sources
- Sudden spikes in ns-slapd resident memory and CPU utilization without a matching increase in authenticated bind operations
- Worker thread pool saturation reflected in 389-ds-base access and error logs
- Out-of-memory killer entries for ns-slapd in /var/log/messages or systemd journal
Detection Strategies
- Parse 389-ds-base access logs for abnormally large request sizes correlated with elevated etime values per operation
- Alert when LDAP message size distributions skew toward the BER maximum during short time windows
- Baseline normal control counts per operation and flag deviations using SIEM rules
Monitoring Recommendations
- Forward 389-ds-base access and error logs to a centralized analytics platform for correlation against network telemetry
- Track per-source LDAP request rate, message size, and operation latency as first-class metrics
- Monitor ns-slapd process memory and thread counts with host-based telemetry to catch resource exhaustion in progress
How to Mitigate CVE-2026-9064
Immediate Actions Required
- Apply vendor patches for 389-ds-base as soon as they are published by your distribution
- Restrict network exposure of LDAP listeners to trusted management networks and application subnets
- Place rate limiting or connection throttling in front of directory servers using a network appliance or reverse proxy
- Increase monitoring sensitivity on directory server CPU, memory, and thread pool metrics until patches are deployed
Patch Information
Consult the Red Hat CVE-2026-9064 Advisory for fixed package versions and errata identifiers. Track the Red Hat Bug #2480093 Report for upstream commit references and backport status across supported distributions.
Workarounds
- Lower the maximum LDAP BER message size via the nsslapd-maxbersize configuration attribute to reduce the number of controls an attacker can pack per request
- Enforce per-IP connection and request rate limits with nsslapd-maxsimultaneousconnections and network-layer controls
- Require TLS client certificates or restrict anonymous bind on internet-exposed directory instances
# Reduce maximum BER message size to limit control packing
dsconf <instance> config replace nsslapd-maxbersize=209715
# Cap simultaneous connections per server
dsconf <instance> config replace nsslapd-maxsimultaneousconnections=512
# Restart the directory server to apply changes
systemctl restart dirsrv@<instance>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
