LDAP Server Control Processing Causes Denial of Service

A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service.

Casky was already ahead

This CVE exploits attack patterns that Casky's 312matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

CVE-2026-9064 exploits a resource exhaustion vulnerability in 389-ds-base's LDAP message handling. The get_ldapmessage_controls_ext() function fails to validate an upper limit on the number of controls within a single LDAP message, allowing unauthenticated attackers to craft requests with hundreds of thousands of minimal controls that stay within the 2 MB default BER message size limit. This triggers excessive CPU consumption and heap allocation, degrading server performance significantly under concurrent attack conditions. Organizations running 389-ds-base for directory services—including those managing authentication and identity infrastructure—face availability risks and potential cascading failures across dependent systems.

Casky's 312 mapped security skills use Claude's extended reasoning to correlate attack patterns across MITRE ATT&CK Denial of Service (TA0040) and Command and Control (TA0011) techniques. Practitioners using Casky would detect this vulnerability through analysis of anomalous LDAP protocol behavior: detection of messages with unusually high control counts, monitoring for resource exhaustion patterns (CPU spikes, memory allocation anomalies), and network traffic analysis revealing repeated malformed LDAP requests from unauthenticated sources. The platform's skills enable security teams to identify exploitation attempts by tracking the resource consumption signatures and protocol-level deviations characteristic of control-flooding attacks, allowing them to implement defensive measures such as connection rate limiting, control count validation, and early rejection of suspicious LDAP messages before server degradation occurs.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

312 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-9064.

analyzing-android-malware-with-apktool

malware analysis · medium

Run

analyzing-apt-group-with-mitre-navigator

threat intelligence · low

Run

analyzing-bootkit-and-rootkit-samples

malware analysis · medium

Run

MITRE ATT&CK Techniques

TA0040 TA0011

Investigate the attack patterns behind CVE-2026-9064

Casky has 312 skills that investigate the attack patterns behind CVE-2026-9064. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn