Skip to main content

memcached CVE-2026-47784

| EUVDEUVD-2026-31069 HIGH
Observable Timing Discrepancy (CWE-208)
2026-05-20 mitre GHSA-r4h3-4q3v-2776
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 20, 2026 - 07:01 EUVD
Source Code Evidence Fetched
May 20, 2026 - 07:00 vuln.today
Analysis Generated
May 20, 2026 - 07:00 vuln.today

DescriptionCVE.org

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

AnalysisAI

Timing side-channel in memcached versions prior to 1.6.42 allows remote attackers to recover SASL authentication credentials by measuring response times during password comparison. The flaw stems from the use of the non-constant-time memcmp() function within sasl_server_userdb_checkpass, enabling byte-by-byte inference of stored passwords. No public exploit identified at time of analysis, but the upstream fix has been published.

Technical ContextAI

memcached is a widely deployed in-memory key-value store used as a caching layer for web applications and databases. When configured with SASL authentication backed by a userdb password file (sasl_defs.c), the server reads candidate credentials line by line and compares them against client-supplied values. The pre-1.6.42 implementation used standard memcmp(), which short-circuits on the first byte mismatch - leaking information about how many leading bytes matched via response latency. This is a textbook CWE-208 (Observable Timing Discrepancy / Observable Discrepancy) issue affecting cpe:2.3:a:memcached:memcached:*. The fix replaces memcmp() with safe_memcmp(), a constant-time comparison routine, and also zeroes the read buffer before each fgets() to eliminate residual data side-channels.

RemediationAI

Vendor-released patch: upgrade memcached to version 1.6.42 or later, which replaces memcmp() with the constant-time safe_memcmp() in sasl_server_userdb_checkpass (commit d13f282b4bce33a9c33b8a1bbf07f12114160fed). Operators unable to upgrade immediately should restrict access to memcached's listening port (default 11211) to trusted hosts via host-based firewall rules or network ACLs, eliminating the remote timing channel at the cost of breaking any legitimate remote clients. As an alternative, switch SASL authentication away from the file-based userdb backend to a Cyrus SASL backend (e.g., sasldb or PAM) that performs comparisons outside the vulnerable code path, accepting the operational overhead of an external authentication store. See https://github.com/memcached/memcached/wiki/ReleaseNotes1642 for full release details.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-47784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy