A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Wed, 08 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Title 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-208
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T11:06:57.873Z

Reserved: 2026-07-08T10:00:02.126Z

Link: CVE-2026-15041

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-07-08T09:58:21Z

Links: CVE-2026-15041 - Bugzilla

cve-icon OpenCVE Enrichment

No data.