A heap buffer overflow flaw was found in the SASL I/O layer of 389 Directory Server (389-ds-base). After a successful SASL bind with integrity protection (SSF > 0), an authenticated attacker can send a specially crafted oversized LDAP UNBIND packet that is copied into a 512-byte heap receive buffer without a bounds check in sasl_io_recv() in sasl_io.c. This allows up to approximately 2 megabytes of attacker-controlled data to overflow the buffer, causing a denial of service (server crash). In FreeIPA and Red Hat Identity Management deployments, any domain user with a valid Kerberos ticket, any enrolled host, or any service account can trigger this vulnerability over the network after authenticating via GSSAPI. The vulnerable code path has existed since approximately 2013 (389-ds-base 1.3.2) and was not addressed by the CVE-2025-14905 fix, which patched a separate heap overflow in schema.c only.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-11610 is a heap buffer overflow vulnerability in the SASL I/O layer of 389 Directory Server that allows authenticated attackers to crash the service by sending oversized LDAP UNBIND packets. The vulnerability exists in the sasl_io_recv() function, which copies incoming data into a fixed 512-byte buffer without validating packet size, permitting up to 2 megabytes of malicious data to overflow the heap. This affects organizations running 389 Directory Server with SASL integrity protection enabled (SSF > 0), making it particularly dangerous for enterprises using LDAP for authentication and directory services. While the CVSS score of 8.8 reflects high severity, the requirement for prior authentication limits immediate exposure—however, compromised user accounts or insider threats can trivially exploit this for denial of service.
Although this CVE maps to CWE-122 (heap buffer overflow) rather than discrete MITRE ATT&CK techniques, Casky's security skills library—powered by Claude's extended reasoning—would detect the attack patterns associated with exploitation. Practitioners using Casky would observe findings related to T1498 (Network Denial of Service) through resource exhaustion via malformed protocol packets, and potentially T1021.2 (SSH/LDAP protocol abuse) when analyzing network traffic containing oversized UNBIND frames sent post-authentication. The platform's 754 mapped skills would flag suspicious authentication sequences followed by abnormal packet structures, server process crashes correlated with specific LDAP client behavior, and heap memory corruption indicators in system logs—enabling defenders to correlate authentication logs with service interruptions and identify compromised accounts attempting exploitation.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-11610. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation