CVE-2026-11611
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during connection teardown or shutdown.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-400: Uncontrolled Resource Consumption
Workarounds
Bug 1 (Queue DoS): Reduce SYNC_MAX_CONCURRENT from the default of 10 to minimize the number of clients that can accumulate queues. Apply network-level rate limiting on persistent sync search requests. Monitor client connections and terminate stalled sync clients that stop reading for an extended period. Set system-level memory limits (e.g., LimitAS= in the systemd unit file or cgroup memory limits) to prevent unbounded memory growth. Bugs 2 and 3: No workaround available — these are code-level race conditions that require source fixes.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-11611
- https://bugzilla.redhat.com/show_bug.cgi?id=2485424
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.