CVE Catalog

CVE-2026-11789

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.34%

25th percentile - higher than 25% of all known CVEs

Summary

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

Risk Assessment

An attacker can remotely crash the LDAP server, causing a denial of service for directory services and authentication in the organization.

Recommendation

Immediately update 389 Directory Server to a version containing the fix for CVE-2026-11789. If an update is not possible, temporarily disable the SMD5 plugin.

Original NVD description (English source)

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS