A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Red Hat Red Hat Directory Server 11 affected
Red Hat Red Hat Directory Server 12 affected
Red Hat Red Hat Directory Server 13 affected
Red Hat Red Hat Enterprise Linux 10 affected
Red Hat Red Hat Enterprise Linux 6 unaffected
Red Hat Red Hat Enterprise Linux 7 affected
Red Hat Red Hat Enterprise Linux 8 affected
Red Hat Red Hat Enterprise Linux 9 affected

No data.

No data.

No data.

Project Subscriptions

Vendors Products
Redhat Subscribe
Directory Server Subscribe
Enterprise Linux Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

Schedule schema reload operations during maintenance windows with reduced LDAP traffic. Minimize schema reload frequency; in replication topologies schema changes propagate automatically. Monitor for unexpected ns-slapd restarts during or immediately after schema reloads. Restrict write access to cn=schema,cn=config to dedicated administrative accounts via LDAP ACIs.

References
Link Providers
https://access.redhat.com/security/cve/CVE-2026-11791 cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2485414 cve-icon
https://redhat.atlassian.net/browse/PSIRTSUPT-7600 cve-icon
History

Thu, 18 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. During schema reload, the attr_syntax_swap_ht() function unconditionally frees attribute syntax information nodes, bypassing the refcount-based deferred deletion used elsewhere in the attribute syntax subsystem. If an administrator triggers schema reload while concurrent LDAP query traffic is active, worker threads may access freed memory, resulting in use-after-free or double-free and a denial of service (server crash).
Title 389-ds-base: 389-ds-base: use-after-free in schema reload via attr_syntax_swap_ht()
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-416
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-18T15:24:19.371Z

Reserved: 2026-06-09T13:01:16.818Z

Link: CVE-2026-11791

cve-icon Vulnrichment

Updated: 2026-06-18T15:24:15.461Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses