CVE-2026-9064: 389-ds-base Denial-of-Service Vulnerability Exposes LDAP Servers
The National Vulnerability Database has identified CVE-2026-9064, a critical denial-of-service vulnerability within the 389-ds-base LDAP server. The issue lies in the get_ldapmessage_controls_ext() function, which fails to limit the number of controls per LDAP message. An unauthenticated remote attacker can exploit this by sending a crafted LDAP request packed with an excessive number of controls, consuming vast amounts of CPU and heap memory.
This attack can lead to severe performance degradation, worker thread exhaustion, and ultimately, server termination due to out-of-memory conditions. The CVSS score of 7.5 (HIGH) underscores the significant risk, particularly given the lack of authentication required for exploitation. Organizations relying on 389-ds-base for directory services must prioritize patching this vulnerability to prevent disruptive denial-of-service attacks.
What This Means For You
- If your organization uses 389-ds-base, immediately verify that systems are patched against CVE-2026-9064. Monitor LDAP server performance for unusual spikes in CPU or memory usage, which could indicate an attempted or active exploitation.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
DoS Traffic Pattern Detection
title: DoS Traffic Pattern Detection
id: scw-2026-05-20-1
status: experimental
level: high
description: |
Detects volumetric traffic patterns consistent with denial of service attacks targeting your infrastructure.
author: SCW Feed Engine (auto-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-9064/
tags:
- attack.impact
- attack.t1499
logsource:
category: firewall
detection:
selection:
dst_port:
- 80
- 443
condition: selection | count(src_ip) by dst_ip > 1000
falsepositives:
- Legitimate activity from CVE-2026-9064
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-9064 | Vulnerability | CVE-2026-9064 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 13:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...