Back to overview

CVE-2026-15041

LOW
3.7
CVSS 3.1
Description
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

Metadata

CVE ID
CVE-2026-15041
State
PUBLISHED
Assigner
redhat
Reserved
2026-07-08 10:00 UTC
Published
2026-07-08 10:15 UTC
Last updated
2026-07-08 13:44 UTC
Primary CWE
CWE-208
Observable Timing Discrepancy
Vendor / Product
Red Hat / Red Hat Directory Server 11
Sources
cve.org  ·  NVD

Severity & Metrics

3.7 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (8)
VendorProductPlatformVersions
Red Hat Red Hat Directory Server 11
Red Hat Red Hat Directory Server 12
Red Hat Red Hat Directory Server 13
Red Hat Red Hat Enterprise Linux 10
Red Hat Red Hat Enterprise Linux 6
Red Hat Red Hat Enterprise Linux 7
Red Hat Red Hat Enterprise Linux 8
Red Hat Red Hat Enterprise Linux 9
Weakness (CWE)
CWESourceDescription
CWE-208 cna Observable Timing Discrepancy
CVSS scores (1)
ScoreSeverityVersionSourceVector
3.7 LOW 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Back to overview