CVE-2026-9064

Daily digests

An unauthenticated attacker can send a single oversized LDAP request packed with hundreds of thousands of tiny controls, burning through CPU and heap memory on your 389 Directory Server. Under sustained or concurrent requests, this starves worker threads and can crash the process with an out-of-memory kill. No credentials or special config needed: if your LDAP port is reachable, you're exposed.

• Daily Digest · May 20, 2026

  389 DS denial-of-service + Keycloak session hijack