CVE Catalog

CVE-2026-11792

LowCVSS 3.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

18th percentile — higher than 18% of all known CVEs

Summary

A heap buffer overflow vulnerability was found in 389 Directory Server. The create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space, causing an overflow when a short cleartext password is logged.

Risk Assessment

An attacker could exploit this vulnerability to corrupt heap memory and audit log output, potentially leading to unpredictable server behavior or information disclosure.

Recommendation

It is recommended to immediately update 389 Directory Server to the latest patched version and, if possible, disable logging of cleartext passwords.

Original NVD description (English source)

A heap buffer overflow flaw was found in 389 Directory Server. When audit logging is enabled, the create_masked_entry_string() function in auditlog.c copies a fixed-length password mask into a precisely-sized heap buffer without checking available space. If a short cleartext password is logged (requiring non-default CLEAR password storage or a compromised replication peer), the copy overflows the buffer, corrupting heap memory and audit log output.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS