CVE Catalog

CVE-2026-11790

MediumCVSS 4.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

26th percentile - higher than 26% of all known CVEs

Summary

A flaw was found in 389 Directory Server where the PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

Risk Assessment

The risk is a potential denial of service attack through password manipulation, which can disrupt directory services and impact system availability for other users.

Recommendation

It is recommended to immediately update 389 Directory Server to a version that introduces an upper bound on PBKDF2-SHA256 iteration count. If an update is not possible, restrict password modification access to trusted administrators only.

Original NVD description (English source)

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS