CVE-2026-11790

Published: Jun 9, 2026Modified: Jun 12, 2026

4.9

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Exploitability: 1.2 / Impact: 3.6

Source: secalert@redhat.com (Secondary)

Description

A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

Affected (8)

Products: Redhat: 389 Directory Server, Directory Server, Enterprise Linux

3 products

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Redhat 389 Directory Server	Version 1.3.6.0
Redhat Directory Server	Version 11.0
Redhat Directory Server	Version 12.0
Redhat Directory Server	Version 13.0
Redhat Enterprise Linux	Version 10.0
Redhat Enterprise Linux	Version 7.0
Redhat Enterprise Linux	Version 8.0
Redhat Enterprise Linux	Version 9.0

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (3)

https://access.redhat.com/security/cve/CVE-2026-11790

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2485421

Source: secalert@redhat.com

Issue TrackingVendor Advisory

https://redhat.atlassian.net/browse/PSIRTSUPT-7600

Source: secalert@redhat.com

Permissions Required

Timeline

No history available yet.