Ryan Tandy

**Name of the Vulnerable Software and Affected Versions** OpenLDAP versions 2.4.13 through 2.4.40 **Description** The issue allows remote attackers to cause a denial of service, resulting in a crash due to a NULL pointer dereference. This can be achieved by sending a search request with an empty attribute list in a deref control. **Recommendations** For OpenLDAP versions 2.4.13 through 2.4.40, consider updating to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `deref parseCtrl` function in the `deref.c` file until a patch is available. Avoid using empty attribute lists in deref controls in search requests until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenLDAP version 2.4.40 **Description** A double free issue in the get vrFilter function in servers/slapd/filter.c allows remote attackers to cause a denial of service, resulting in a crash, by sending a crafted search query with a matched values control. **Recommendations** For OpenLDAP version 2.4.40, consider applying a patch or updating to a newer version that fixes the double free vulnerability in the get vrFilter function to prevent remote attackers from causing a denial of service.