Amazon Linux 2 Security Advisory: ALAS2-2026-3339
Advisory Released Date: 2026-06-08
Advisory Updated Date: 2026-06-08
A flaw was found in 389-ds-base. The get_ldapmessage_controls_ext() function in the LDAP server does not enforce an upper bound on the number of controls per LDAP message. A remote, unauthenticated attacker can send a specially crafted LDAP request containing hundreds of thousands of minimal controls within the default maximum BER message size (2 MB), causing excessive CPU consumption and heap allocation on the server. Under concurrent exploitation, this leads to significant latency degradation, worker thread starvation, or out-of-memory termination, resulting in a denial of service. (CVE-2026-9064)
Affected Packages:
389-ds-base
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update 389-ds-base or yum update --advisory ALAS2-2026-3339 to update your system.
aarch64:
389-ds-base-1.3.10.2-17.amzn2.0.6.aarch64
389-ds-base-libs-1.3.10.2-17.amzn2.0.6.aarch64
389-ds-base-devel-1.3.10.2-17.amzn2.0.6.aarch64
389-ds-base-snmp-1.3.10.2-17.amzn2.0.6.aarch64
389-ds-base-debuginfo-1.3.10.2-17.amzn2.0.6.aarch64
i686:
389-ds-base-1.3.10.2-17.amzn2.0.6.i686
389-ds-base-libs-1.3.10.2-17.amzn2.0.6.i686
389-ds-base-devel-1.3.10.2-17.amzn2.0.6.i686
389-ds-base-snmp-1.3.10.2-17.amzn2.0.6.i686
389-ds-base-debuginfo-1.3.10.2-17.amzn2.0.6.i686
src:
389-ds-base-1.3.10.2-17.amzn2.0.6.src
x86_64:
389-ds-base-1.3.10.2-17.amzn2.0.6.x86_64
389-ds-base-libs-1.3.10.2-17.amzn2.0.6.x86_64
389-ds-base-devel-1.3.10.2-17.amzn2.0.6.x86_64
389-ds-base-snmp-1.3.10.2-17.amzn2.0.6.x86_64
389-ds-base-debuginfo-1.3.10.2-17.amzn2.0.6.x86_64