CVE-2026-14969
CVE-2026-14969 is a medium-severity vulnerability with a CVSS 3.x base score of 4.4. The underlying weakness is classified as CWE-329.
Key facts
- Severity: Medium (CVSS 3.x base score 4.4)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-329
- Published:
- Last modified:
Description
A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
Frequently asked questions
- What is CVE-2026-14969?
- A flaw was found in 389-ds-base where the LDBM backend attribute encryption uses a hardcoded static initialization vector for AES-CBC and 3DES-CBC operations, allowing an attacker with privileged filesystem access to detect plaintext equality across encrypted entries by comparing ciphertext blocks.
- How severe is CVE-2026-14969?
- CVE-2026-14969 has a CVSS 3.x base score of 4.4, rated medium severity. It is exploitable over local access with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-14969 being actively exploited?
- It is not currently listed in CISA's Known Exploited Vulnerabilities catalog, and no EPSS exploit-prediction score is available yet.
- How do I fix CVE-2026-14969?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2026-14969 published?
- CVE-2026-14969 was published on 2026-07-07.
References
- https://access.redhat.com/security/cve/CVE-2026-14969
- https://bugzilla.redhat.com/show_bug.cgi?id=2497735
Other CWE-329 vulnerabilities
- CVE-2022-46397 — High (CVSS 7.5): FP.io VPP (Vector Packet Processor) 22.10, 22.06, 22.02, 21.10, 21.06, 21.01, 20.09, 20.05, 20.01, 19.08, and 19.04…
- CVE-2024-49783 — Medium (CVSS 5.3): IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in storage of encrypted data. If…
- CVE-2024-56141 — Medium (CVSS 5.0): Minosoft is an open-source, multi-version Minecraft Java Edition client written in Kotlin. Starting in commit…
- CVE-2025-2814 — Medium (CVSS 4.0): Crypt::CBC versions between 1.21 and 3.05 for Perl may use the rand() function as the default source of entropy, which…
- CVE-2022-29054 — Low (CVSS 3.3): A missing cryptographic steps vulnerability [CWE-325] in the functions that encrypt the DHCP and DNS keys in Fortinet…