CVE-2026-20746: CWE-401 Missing release of memory after effective lifetime in Ping Identity PingDirectory
CVE-2026-20746 is a medium severity vulnerability in Ping Identity PingDirectory versions 9.3.0.0, 10.2.0.0, 10.3.0.0, and 11.0.0.0. It involves a missing release of memory after its effective lifetime (CWE-401) in the handling of virtual attributes when recent login history is enabled and copying virtual attributes referencing ds-privilege-name values. This can allow authorized users to exhaust the Java memory heap.
AI Analysis
Technical Summary
This vulnerability in Ping Identity PingDirectory affects specific versions (9.3.0.0, 10.2.0.0, 10.3.0.0, and 11.0.0.0) and arises from improper memory management (CWE-401) in virtual attribute handling. When recent login history is enabled and virtual attributes referencing ds-privilege-name values are copied, authorized users can cause exhaustion of the Java memory heap. The CVSS 4.0 score is 6.3 (medium severity), indicating a network attack vector with low attack complexity but requiring privileged user access and partial user interaction. The vulnerability does not affect confidentiality, integrity, or availability directly but impacts resource consumption.
Potential Impact
Authorized users can exploit this vulnerability to exhaust the Java memory heap on affected PingDirectory instances, potentially leading to degraded performance or denial of service due to memory exhaustion. There is no indication of direct impact on data confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation has been documented at this time. Until a patch is available, limit privileged user access and monitor for unusual memory consumption patterns related to virtual attribute operations.
CVE-2026-20746: CWE-401 Missing release of memory after effective lifetime in Ping Identity PingDirectory
Description
CVE-2026-20746 is a medium severity vulnerability in Ping Identity PingDirectory versions 9.3.0.0, 10.2.0.0, 10.3.0.0, and 11.0.0.0. It involves a missing release of memory after its effective lifetime (CWE-401) in the handling of virtual attributes when recent login history is enabled and copying virtual attributes referencing ds-privilege-name values. This can allow authorized users to exhaust the Java memory heap.
CVSS v4.0
Score 6.3medium
Affected software
pkg:github/pingidentity/pingdirectoryRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Ping Identity PingDirectory affects specific versions (9.3.0.0, 10.2.0.0, 10.3.0.0, and 11.0.0.0) and arises from improper memory management (CWE-401) in virtual attribute handling. When recent login history is enabled and virtual attributes referencing ds-privilege-name values are copied, authorized users can cause exhaustion of the Java memory heap. The CVSS 4.0 score is 6.3 (medium severity), indicating a network attack vector with low attack complexity but requiring privileged user access and partial user interaction. The vulnerability does not affect confidentiality, integrity, or availability directly but impacts resource consumption.
Potential Impact
Authorized users can exploit this vulnerability to exhaust the Java memory heap on affected PingDirectory instances, potentially leading to degraded performance or denial of service due to memory exhaustion. There is no indication of direct impact on data confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation has been documented at this time. Until a patch is available, limit privileged user access and monitor for unusual memory consumption patterns related to virtual attribute operations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Ping Identity
- Date Reserved
- 2026-01-07T15:15:23.456Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2b7d3f815e7002b8ea08b0
Added to database: 6/12/2026, 3:30:07 AM
Last enriched: 6/12/2026, 3:45:19 AM
Last updated: 6/12/2026, 6:01:07 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.