{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-12528", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-06-17T13:48:38.528Z", "datePublished": "2026-06-17T14:27:27.457Z", "dateUpdated": "2026-06-17T18:12:30.719Z"}, "containers": {"cna": {"title": "389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Directory Server 11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-ds:11/389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:directory_server:11"]}, {"vendor": "Red Hat", "product": "Red Hat Directory Server 12", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-ds:12/389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:directory_server:12"]}, {"vendor": "Red Hat", "product": "Red Hat Directory Server 13", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:directory_server:13"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "389-ds-base", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-12528", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489835", "name": "RHBZ#2489835", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/389ds/389-ds-base/pull/7542"}], "datePublic": "2026-06-03T13:09:01.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-787: Out-of-bounds Write", "workarounds": [{"lang": "en", "value": "Ensure that only highly privileged accounts (Directory Manager or explicitly delegated ACI administrators) have write access to the 'aci' attribute. Review existing ACIs for overly broad targetattr rules (especially negated rules like targetattr!=\"...\" or wildcards like targetattr=\"*\") that may inadvertently grant regular users write access to operational attributes including 'aci'. The 389 DS ACI linting tool (lib389) can help identify such misconfigurations."}], "timeline": [{"lang": "en", "time": "2026-06-03T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-03T13:09:01.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-17T14:27:27.457Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T18:01:06.014990Z", "id": "CVE-2026-12528", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:12:30.719Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-12528", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-17T18:01:06.014990Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T18:01:10.168Z"}}], "cna": {"title": "389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:directory_server:11"], "vendor": "Red Hat", "product": "Red Hat Directory Server 11", "packageName": "redhat-ds:11/389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:directory_server:12"], "vendor": "Red Hat", "product": "Red Hat Directory Server 12", "packageName": "redhat-ds:12/389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:directory_server:13"], "vendor": "Red Hat", "product": "Red Hat Directory Server 13", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "389-ds-base", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-06-03T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-06-03T13:09:01.000Z", "value": "Made public."}], "datePublic": "2026-06-03T13:09:01.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-12528", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489835", "name": "RHBZ#2489835", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/389ds/389-ds-base/pull/7542"}], "workarounds": [{"lang": "en", "value": "Ensure that only highly privileged accounts (Directory Manager or explicitly delegated ACI administrators) have write access to the 'aci' attribute. Review existing ACIs for overly broad targetattr rules (especially negated rules like targetattr!=\"...\" or wildcards like targetattr=\"*\") that may inadvertently grant regular users write access to operational attributes including 'aci'. The 389 DS ACI linting tool (lib389) can help identify such misconfigurations."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-06-17T14:27:27.457Z"}, "x_redhatCweChain": "CWE-787: Out-of-bounds Write"}}, "cveMetadata": {"cveId": "CVE-2026-12528", "state": "PUBLISHED", "dateUpdated": "2026-06-17T18:12:30.719Z", "dateReserved": "2026-06-17T13:48:38.528Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-06-17T14:27:27.457Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "389-ds-base: 389-ds-base: heap-buffer-overflows in __aclp__normalize_acltxt()", "id": "2489835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2489835"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in 389 Directory Server in the __aclp__normalize_acltxt() function of aclparse.c. A malformed ACI (Access Control Instruction) string can trigger heap-buffer-overflow writes and reads during ACI parsing. The function fails to validate that the ACI keyword has sufficient length after whitespace stripping, leading to a 1-byte out-of-bounds write and subsequent out-of-bounds reads. An authenticated user with write access to the aci attribute could send a crafted ACI value to silently corrupt heap memory in the directory server process."], "mitigation": {"lang": "en:us", "value": "Ensure that only highly privileged accounts (Directory Manager or explicitly delegated ACI administrators) have write access to the 'aci' attribute. Review existing ACIs for overly broad targetattr rules (especially negated rules like targetattr!=\"...\" or wildcards like targetattr=\"*\") that may inadvertently grant regular users write access to operational attributes including 'aci'. The 389 DS ACI linting tool (lib389) can help identify such misconfigurations."}, "name": "CVE-2026-12528", "package_state": [{"cpe": "cpe:/a:redhat:directory_server:11", "fix_state": "Fix deferred", "package_name": "redhat-ds:11/389-ds-base", "product_name": "Red Hat Directory Server 11"}, {"cpe": "cpe:/a:redhat:directory_server:12", "fix_state": "Fix deferred", "package_name": "redhat-ds:12/389-ds-base", "product_name": "Red Hat Directory Server 12"}, {"cpe": "cpe:/a:redhat:directory_server:13", "fix_state": "Fix deferred", "package_name": "389-ds-base", "product_name": "Red Hat Directory Server 13"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "389-ds-base", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-06-03T13:09:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-12528\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-12528\nhttps://github.com/389ds/389-ds-base/pull/7542"], "statement": "This flaw in 389 Directory Server has a Low impact. A heap buffer overflow in the ACI parsing function can be triggered by a specially crafted Access Control Instruction (ACI) string. While modern Red Hat Directory Server configurations typically limit write access to the `aci` attribute to the Directory Manager, certain older deployments or custom ACI patterns could allow other authenticated users to introduce the malformed string. The resulting 1-byte heap corruption is silent in production builds and is not considered weaponizable for code execution.", "threat_severity": "Low"}

{}