CVE-2026-11774: Integer Overflow or Wraparound in Red Hat Red Hat Directory Server 11
CVE-2026-11774 is an integer overflow vulnerability in the SASL I/O layer of Red Hat Directory Server 11 (389-ds-base). The flaw occurs in sasl_io_start_packet() when adding sizeof(uint32_t) to a crafted SASL packet length prefix causes an unsigned wraparound, bypassing size limits and leading to a heap buffer overflow. This can be exploited after a successful SASL bind with integrity protection to cause denial of service or remote code execution. In FreeIPA and Red Hat Identity Management deployments, any domain user with valid credentials can trigger this remotely.
AI Analysis
Technical Summary
An integer overflow in the SASL I/O layer of 389 Directory Server (389-ds-base) in Red Hat Directory Server 11 allows an attacker to bypass the nsslapd-maxsasliosize limit by causing an unsigned wraparound in packet length calculation. This leads to a heap buffer overflow of up to approximately 2 MB of attacker-controlled data. Exploitation requires a successful SASL bind with integrity protection (SSF > 0). The vulnerability enables remote attackers with valid Kerberos tickets, enrolled hosts, or service accounts in FreeIPA and Red Hat Identity Management environments to cause denial of service or remote code execution. This issue is distinct from CVE-2025-14905 and affects the sasl_io.c component.
Potential Impact
The vulnerability allows remote attackers with valid credentials to cause a denial of service or potentially execute arbitrary code on affected Red Hat Directory Server 11 instances. The heap buffer overflow can be up to approximately 2 megabytes of attacker-controlled data, increasing the risk of remote code execution. This impacts deployments using FreeIPA and Red Hat Identity Management where domain users or service accounts can trigger the flaw over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-11774 for current remediation guidance. No official fix or workaround is explicitly stated in the provided advisory content. Until a patch is available, restrict access to the directory server to trusted users and monitor for unusual SASL bind activity.
CVE-2026-11774: Integer Overflow or Wraparound in Red Hat Red Hat Directory Server 11
Description
CVE-2026-11774 is an integer overflow vulnerability in the SASL I/O layer of Red Hat Directory Server 11 (389-ds-base). The flaw occurs in sasl_io_start_packet() when adding sizeof(uint32_t) to a crafted SASL packet length prefix causes an unsigned wraparound, bypassing size limits and leading to a heap buffer overflow. This can be exploited after a successful SASL bind with integrity protection to cause denial of service or remote code execution. In FreeIPA and Red Hat Identity Management deployments, any domain user with valid credentials can trigger this remotely.
CVSS v3.1
Score 7.6high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
An integer overflow in the SASL I/O layer of 389 Directory Server (389-ds-base) in Red Hat Directory Server 11 allows an attacker to bypass the nsslapd-maxsasliosize limit by causing an unsigned wraparound in packet length calculation. This leads to a heap buffer overflow of up to approximately 2 MB of attacker-controlled data. Exploitation requires a successful SASL bind with integrity protection (SSF > 0). The vulnerability enables remote attackers with valid Kerberos tickets, enrolled hosts, or service accounts in FreeIPA and Red Hat Identity Management environments to cause denial of service or remote code execution. This issue is distinct from CVE-2025-14905 and affects the sasl_io.c component.
Potential Impact
The vulnerability allows remote attackers with valid credentials to cause a denial of service or potentially execute arbitrary code on affected Red Hat Directory Server 11 instances. The heap buffer overflow can be up to approximately 2 megabytes of attacker-controlled data, increasing the risk of remote code execution. This impacts deployments using FreeIPA and Red Hat Identity Management where domain users or service accounts can trigger the flaw over the network.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-11774 for current remediation guidance. No official fix or workaround is explicitly stated in the provided advisory content. Until a patch is available, restrict access to the directory server to trusted users and monitor for unusual SASL bind activity.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-06-09T11:57:25.581Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-11774","vendor":"Red Hat"}]
Threat ID: 6a2b05c8815e7002b81e9b56
Added to database: 6/11/2026, 7:00:24 PM
Last enriched: 6/11/2026, 7:16:43 PM
Last updated: 6/12/2026, 3:56:29 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.