CVE-2026-14969: Generation of Predictable IV with CBC Mode in Red Hat Red Hat Directory Server 11
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
AI Analysis
Technical Summary
The vulnerability in Red Hat Directory Server 11 arises from the use of a hardcoded static initialization vector (IV) in the LDBM backend attribute encryption for AES-CBC and 3DES-CBC operations. Because the IV is predictable and static, an attacker with privileged access to the filesystem can compare ciphertext blocks to detect when plaintext values are equal across encrypted entries. This weakness compromises confidentiality by leaking information about plaintext equality but does not allow direct plaintext recovery or modification.
Potential Impact
An attacker with privileged filesystem access can determine when encrypted attribute values are identical by analyzing ciphertext blocks, potentially aiding further attacks or information disclosure. However, the vulnerability does not allow the attacker to decrypt the data or alter it, so integrity and availability remain unaffected. The CVSS score of 4.4 reflects a medium severity impact focused on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-14969 for current remediation guidance. Until an official fix is available, restrict privileged filesystem access to trusted users only to mitigate the risk of exploitation.
CVE-2026-14969: Generation of Predictable IV with CBC Mode in Red Hat Red Hat Directory Server 11
Description
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
CVSS v3.1
Score 4.4medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Red Hat Directory Server 11 arises from the use of a hardcoded static initialization vector (IV) in the LDBM backend attribute encryption for AES-CBC and 3DES-CBC operations. Because the IV is predictable and static, an attacker with privileged access to the filesystem can compare ciphertext blocks to detect when plaintext values are equal across encrypted entries. This weakness compromises confidentiality by leaking information about plaintext equality but does not allow direct plaintext recovery or modification.
Potential Impact
An attacker with privileged filesystem access can determine when encrypted attribute values are identical by analyzing ciphertext blocks, potentially aiding further attacks or information disclosure. However, the vulnerability does not allow the attacker to decrypt the data or alter it, so integrity and availability remain unaffected. The CVSS score of 4.4 reflects a medium severity impact focused on confidentiality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-14969 for current remediation guidance. Until an official fix is available, restrict privileged filesystem access to trusted users only to mitigate the risk of exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-07-07T15:32:40.440Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-14969","vendor":"Red Hat"}]
Threat ID: 6a4d2240c9d9e3dbe3707e7d
Added to database: 07/07/2026, 15:58:56 UTC
Last enriched: 07/07/2026, 16:13:34 UTC
Last updated: 07/07/2026, 16:44:04 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.