CVE-2026-15041 - 389-ds-base: 389-ds-base: non-constant-time comparison in pbkdf2-sha256 password verification
CVE ID :CVE-2026-15041
Published : July 8, 2026, 11:16 a.m. | 1 hour, 29 minutes ago
Description :A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : July 8, 2026, 11:16 a.m. | 1 hour, 29 minutes ago
Description :A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password verification function uses standard memcmp() for comparing password hashes instead of a constant-time comparison function. A remote attacker could potentially use timing measurements of LDAP bind attempts to infer partial hash information, though practical exploitation is extremely difficult due to PBKDF2 computational overhead.
Severity: 3.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...