AI Threat Alert

CVE-2026-9064: 389-ds-base: LDAP DoS via unbounded control count

HIGH
Published May 20, 2026
CISO Take

CVE-2026-9064 is a denial-of-service vulnerability in Red Hat's 389 Directory Server where the LDAP message handler fails to cap the number of controls per request, allowing an unauthenticated remote attacker to exhaust CPU and heap memory by embedding hundreds of thousands of minimal controls within a single 2 MB BER message. Organizations running AI/ML platforms — JupyterHub, Kubeflow, MLflow, or any LDAP-backed model-serving stack on Red Hat infrastructure — face authentication outages if this server is taken offline, effectively locking data science and security teams out of tooling. Exploitation requires zero credentials and minimal skill (CVSS AV:N/AC:L/PR:N/UI:N), though no public exploit code or active exploitation has been confirmed and the CVE is not in CISA KEV. Red Hat has released patches across ten errata (RHSA-2026:26452 through RHSA-2026:26461) covering all affected product streams; apply immediately and restrict LDAP port access to trusted hosts at the network perimeter as an interim control.

Sources: NVD ATLAS CISA KEV

What is the risk?

Risk is HIGH for organizations running AI/ML platforms that delegate authentication to 389-ds-based LDAP infrastructure. The vulnerability is trivially exploitable — unauthenticated, low complexity, network-accessible — reducing the attacker bar to near-zero. No public exploit code or active exploitation is confirmed and the CVE is absent from CISA KEV, which moderates urgency slightly. The absence of EPSS data limits probabilistic scoring, but the broad deployment of Red Hat Directory Server in enterprise environments combined with a complete availability impact (CVSS A:H) warrants prompt remediation. Organizations without network-level controls restricting LDAP to trusted sources are most exposed, particularly those using 389-ds as an authentication backbone for multi-user AI platforms.

How does the attack unfold?

Initial Access
Attacker identifies an exposed 389-ds-based LDAP endpoint (TCP 389/636) via network scanning — no credentials or prior access required.
AML.T0049
Payload Crafting
Attacker constructs BER-encoded LDAP messages embedding hundreds of thousands of zero-length controls, keeping total message size within the 2 MB BER default to bypass size-based defenses.
Resource Exhaustion
Concurrent crafted requests cause get_ldapmessage_controls_ext() to heap-allocate without bound, saturating worker threads and triggering CPU spikes or OOM termination of ns-slapd.
AML.T0034.001
AI Service Denial
With the LDAP service down, AI/ML platforms depending on it for authentication (JupyterHub, Kubeflow, MLflow) can no longer authenticate users, locking personnel out of AI infrastructure.
AML.T0029

What systems are affected?

Package Ecosystem Vulnerable Range Patched
389-ds-base No patch
389-ds:1.4 No patch
redhat-ds:11 No patch
redhat-ds:12/389-ds-base No patch

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 52% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Apply Red Hat errata immediately: RHSA-2026:26452 through RHSA-2026:26461 cover redhat-ds:11, 389-ds:1.4, and redhat-ds:12 product streams — check your installed package version against errata applicability.

  2. Enforce network-level ACLs to restrict LDAP (TCP 389/636) to authorized client CIDRs only — this eliminates the unauthenticated network attack vector entirely.

  3. Review 389-ds connection limits (nsslapd-maxdescriptors) and consider setting an explicit per-connection control limit once a patch exposes that knob; note that nsslapd-maxbersize alone is insufficient since the attack fits within the 2 MB default.

  4. Monitor for anomalous LDAP patterns: high-frequency connections from unexpected sources, sustained CPU spikes in ns-slapd, and OOM kill events in /var/log/messages or journald.

  5. For AI/ML platforms, implement fallback authentication (local service accounts, secondary auth provider) to maintain operational continuity during LDAP outages — this is a resilience gap independent of this CVE.

How is it classified?

DoS Framework AML.T0029 AML.T0034.001 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.6.2.4 - Information security for AI systems
NIST AI RMF
MANAGE 2.2 - Incident response for AI risks

Frequently Asked Questions

What is CVE-2026-9064?

CVE-2026-9064 is a denial-of-service vulnerability in Red Hat's 389 Directory Server where the LDAP message handler fails to cap the number of controls per request, allowing an unauthenticated remote attacker to exhaust CPU and heap memory by embedding hundreds of thousands of minimal controls within a single 2 MB BER message. Organizations running AI/ML platforms — JupyterHub, Kubeflow, MLflow, or any LDAP-backed model-serving stack on Red Hat infrastructure — face authentication outages if this server is taken offline, effectively locking data science and security teams out of tooling. Exploitation requires zero credentials and minimal skill (CVSS AV:N/AC:L/PR:N/UI:N), though no public exploit code or active exploitation has been confirmed and the CVE is not in CISA KEV. Red Hat has released patches across ten errata (RHSA-2026:26452 through RHSA-2026:26461) covering all affected product streams; apply immediately and restrict LDAP port access to trusted hosts at the network perimeter as an interim control.

Is CVE-2026-9064 actively exploited?

No confirmed active exploitation of CVE-2026-9064 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-9064?

1. Apply Red Hat errata immediately: RHSA-2026:26452 through RHSA-2026:26461 cover redhat-ds:11, 389-ds:1.4, and redhat-ds:12 product streams — check your installed package version against errata applicability. 2. Enforce network-level ACLs to restrict LDAP (TCP 389/636) to authorized client CIDRs only — this eliminates the unauthenticated network attack vector entirely. 3. Review 389-ds connection limits (nsslapd-maxdescriptors) and consider setting an explicit per-connection control limit once a patch exposes that knob; note that nsslapd-maxbersize alone is insufficient since the attack fits within the 2 MB default. 4. Monitor for anomalous LDAP patterns: high-frequency connections from unexpected sources, sustained CPU spikes in ns-slapd, and OOM kill events in /var/log/messages or journald. 5. For AI/ML platforms, implement fallback authentication (local service accounts, secondary auth provider) to maintain operational continuity during LDAP outages — this is a resilience gap independent of this CVE.

What systems are affected by CVE-2026-9064?

This vulnerability affects the following AI/ML architecture patterns: Enterprise AI platforms with LDAP authentication backends (JupyterHub, Kubeflow), MLOps pipelines using LDAP-backed access control on Red Hat infrastructure, Model serving infrastructure with 389-ds-based directory integration, AI development environments on Red Hat Enterprise Linux.

What is the CVSS score for CVE-2026-9064?

CVE-2026-9064 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.81%.

What is the AI security impact?

Affected AI Architectures

Enterprise AI platforms with LDAP authentication backends (JupyterHub, Kubeflow)MLOps pipelines using LDAP-backed access control on Red Hat infrastructureModel serving infrastructure with 389-ds-based directory integrationAI development environments on Red Hat Enterprise Linux

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034.001 Resource-Intensive Queries
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.6.2.4
NIST AI RMF: MANAGE 2.2

What are the technical details?

Original Advisory

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

Exploitation Scenario

An adversary targeting an AI/ML platform protected by Red Hat Directory Server identifies the exposed LDAP endpoint (port 389 or 636) via passive network enumeration or Shodan. They craft a series of BER-encoded LDAP bind or search requests, each embedding hundreds of thousands of zero-length controls while staying within the 2 MB default BER message size limit — bypassing the only existing size-based guard. Sending a dozen such requests concurrently causes get_ldapmessage_controls_ext() to iterate and heap-allocate for each control without bound, rapidly exhausting available memory and saturating ns-slapd worker threads. Within seconds, the directory service either hits OOM termination or becomes fully thread-starved. Data scientists, ML engineers, and security teams attempting to authenticate to JupyterHub or Kubeflow receive authentication errors and are locked out of AI infrastructure for the duration of the attack.

Weaknesses (CWE)

CWE-770 Allocation of Resources Without Limits or Throttling

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
May 20, 2026
Last Modified
June 18, 2026
First Seen
June 17, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33660 10.0

TensorFlow: type confusion NPD in tensor conversion

Same attack type: DoS
CRITICAL CVE-2023-25668 9.8

TensorFlow: unauthenticated RCE via heap buffer overflow

Same attack type: DoS
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same attack type: DoS
CRITICAL CVE-2022-35939 9.8

TensorFlow: ScatterNd OOB write enables RCE/crash

Same attack type: DoS
CRITICAL CVE-2022-41900 9.8

TensorFlow: heap OOB RCE in FractionalMaxPool op

Same attack type: DoS
Back to Threat Feed