Cyber Resilience

CVE-2025-14905

High

Published: 23 February 2026

Published
23 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 55.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-14905 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-14905 is a heap buffer overflow vulnerability in the 389-ds-base server. The flaw occurs in the `schema_attr_enum_callback` function within the `schema.c` file, where the code incorrectly calculates buffer size by summing alias string lengths without accounting for additional formatting characters. When processing a large number of aliases, this leads to a heap overflow.

A remote attacker with high privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation could result in a Denial of Service (DoS) or Remote Code Execution (RCE), as reflected in the CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and associated CWE-122.

Red Hat has issued patches via security errata RHSA-2026:3189, RHSA-2026:3208, RHSA-2026:3379, RHSA-2026:3504, and RHSA-2026:4207 to mitigate the vulnerability in affected 389-ds-base packages.

EU & UK References

Vulnerability details

A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for…

more

additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Heap overflow in network-exposed 389-ds-base LDAP server directly enables remote exploitation for RCE/DoS (T1190); high-privilege requirement and lack of further attack-chain details limit additional mappings.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23827Shared CWE-122
CVE-2026-45584Shared CWE-122
CVE-2026-8175Shared CWE-122
CVE-2026-32945Shared CWE-122
CVE-2025-34522Shared CWE-122
CVE-2026-20766Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-67268Shared CWE-122
CVE-2026-22697Shared CWE-122
CVE-2025-67896Shared CWE-122

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely application of the Red Hat patches (RHSA-2026:3189 et al.) that eliminate the heap overflow in schema_attr_enum_callback.

prevent

Mandates input validation and bounds checking on untrusted or complex data (alias lists) to prevent the incorrect buffer-size calculation that triggers the overflow.

prevent

Requires memory-protection mechanisms that can block or contain heap-buffer-overflow exploitation attempts even if the schema-processing flaw remains.

References