A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.

Project Subscriptions

Vendors Products
Directory Server Subscribe
Enterprise Linux Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

If possible, configure 389 Directory Server to use an alternative password storage scheme (e.g., SSHA512 or GOST-Yescrypt) which uses constant-time comparison.

History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Wed, 08 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Title 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification
First Time appeared Redhat
Redhat directory Server
Redhat enterprise Linux
Weaknesses CWE-208
CPEs cpe:/a:redhat:directory_server:11
cpe:/a:redhat:directory_server:12
cpe:/a:redhat:directory_server:13
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat directory Server
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-08T11:06:57.873Z

Reserved: 2026-07-08T10:00:02.126Z

Link: CVE-2026-15041

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-07-08T09:58:21Z

Links: CVE-2026-15041 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses