Skip to main content

GNU SASL EUVDEUVD-2026-38512

| CVE-2026-56968 MEDIUM
Numeric Range Comparison Without Minimum Check (CWE-839)
2026-06-23 mitre GHSA-2qgp-6c6g-cmwv
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (mitre) PRIMARY
LOW
qualitative
NVD
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
3.7 LOW

Network vector with High complexity (MITM or malicious server required to deliver crafted NTLM challenge); no privileges needed; confidentiality-only impact from memory over-read.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Severity Changed
Jun 29, 2026 - 23:07 NVD
LOW MEDIUM
CVSS changed
Jun 29, 2026 - 23:07 NVD
3.7 (LOW) 5.3 (MEDIUM)
Patch available
Jun 23, 2026 - 18:17 EUVD
Analysis Generated
Jun 23, 2026 - 17:11 vuln.today

DescriptionNVD

GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.

AnalysisAI

Memory disclosure in GNU SASL's NTLM client implementation allows a malicious or man-in-the-middle server to extract portions of client process memory by delivering a crafted undersized challenge to the _gsasl_ntlm_client_step function. All GNU SASL versions before 2.2.4 are affected, with the fix confirmed in the 2.2.4 release and a Debian security advisory issued downstream. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Position as MITM or operate malicious NTLM server
Delivery
Induce target client to initiate NTLM SASL authentication
Exploit
Send crafted undersized NTLM challenge
Execution
Trigger out-of-bounds read in _gsasl_ntlm_client_step
Impact
Receive disclosed client memory in NTLM response

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: (1) the target application must invoke GNU SASL using the NTLM client mechanism specifically - applications using any other SASL mechanism (PLAIN, SCRAM-SHA-*, GSSAPI, DIGEST-MD5, etc.) are completely unaffected regardless of version; and (2) the attacker must control, impersonate, or man-in-the-middle the server to which the NTLM client connects, enabling delivery of a crafted short challenge. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.7 Low score accurately reflects genuinely constrained exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker operating a malicious authentication server, or intercepting traffic between a GNU SASL NTLM client and a legitimate server, sends a crafted NTLM challenge token whose length falls below the expected minimum. The client's `_gsasl_ntlm_client_step` reads past the challenge buffer boundary due to the missing lower-bound check, and the over-read memory - potentially containing secrets, tokens, or other heap contents - is incorporated into the client's NTLM response and returned to the attacker. …
Remediation Upgrade GNU SASL to version 2.2.4 or later, which introduces proper minimum-length sanitization of the NTLM challenge in `_gsasl_ntlm_client_step`; the release is available at https://ftp.gnu.org/gnu/gsasl/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy