CVE-2026-20746

Summary

Virtual attribute handling in Ping Identity PingDirectory in affected versions allows only authorized users to exhaust java memory heap when recent login history is enabled and copying virtual attributes that reference ds-privilege-name values.

Affected Software

VendorProductVersion RangeStatus
Ping IdentityPingDirectory9.3.0.0 <= 9.3.0.8affected
Ping IdentityPingDirectory10.1.0.0 <= 10.1.0.5unknown
Ping IdentityPingDirectory10.2.0.0 <= 10.2.0.5affected
Ping IdentityPingDirectory10.3.0.0 <= 10.3.0.3affected
Ping IdentityPingDirectory11.0.0.0 < 11.0.0.1affected

Weaknesses

  • CWE-401: CWE-401 Missing release of memory after effective lifetime

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References