The vulnerability in Red Hat Directory Server 11 arises from the lack of an upper bound enforcement on the number of controls per LDAP message in the get_ldapmessage_controls_ext() function. Attackers can craft LDAP requests containing an extremely large number of minimal controls that fit within the default maximum BER message size (2 MB). This causes excessive CPU consumption and heap memory allocation on the server. When exploited concurrently, it results in significant latency degradation, starvation of worker threads, or out-of-memory termination, effectively causing a denial of service condition. The CVSS 3.1 base score is 7.5, indicating high severity, with no impact on confidentiality or integrity but a high impact on availability. The vendor advisory does not currently specify an official fix or patch, and no known exploits in the wild have been reported.

The impact of this vulnerability is a denial of service condition on Red Hat Directory Server 11. An unauthenticated remote attacker can cause excessive resource consumption leading to server latency degradation, worker thread starvation, or process termination due to out-of-memory conditions. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits in the wild have been reported.

Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9064 for current remediation guidance. Since no official fix or remediation level is indicated in the advisory content provided, users should monitor the vendor site for updates. Until a patch is available, consider limiting exposure of the LDAP service to untrusted networks and applying any available LDAP request rate limiting or resource controls if supported by the environment.