Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network vector with High complexity (MITM or malicious server required to deliver crafted NTLM challenge); no privileges needed; confidentiality-only impact from memory over-read.
Primary rating from Vendor (mitre).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionNVD
GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.
AnalysisAI
Memory disclosure in GNU SASL's NTLM client implementation allows a malicious or man-in-the-middle server to extract portions of client process memory by delivering a crafted undersized challenge to the _gsasl_ntlm_client_step function. All GNU SASL versions before 2.2.4 are affected, with the fix confirmed in the 2.2.4 release and a Debian security advisory issued downstream. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous conditions: (1) the target application must invoke GNU SASL using the NTLM client mechanism specifically - applications using any other SASL mechanism (PLAIN, SCRAM-SHA-*, GSSAPI, DIGEST-MD5, etc.) are completely unaffected regardless of version; and (2) the attacker must control, impersonate, or man-in-the-middle the server to which the NTLM client connects, enabling delivery of a crafted short challenge. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.7 Low score accurately reflects genuinely constrained exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker operating a malicious authentication server, or intercepting traffic between a GNU SASL NTLM client and a legitimate server, sends a crafted NTLM challenge token whose length falls below the expected minimum. The client's `_gsasl_ntlm_client_step` reads past the challenge buffer boundary due to the missing lower-bound check, and the over-read memory - potentially containing secrets, tokens, or other heap contents - is incorporated into the client's NTLM response and returned to the attacker. … |
| Remediation | Upgrade GNU SASL to version 2.2.4 or later, which introduces proper minimum-length sanitization of the NTLM challenge in `_gsasl_ntlm_client_step`; the release is available at https://ftp.gnu.org/gnu/gsasl/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38512
GHSA-2qgp-6c6g-cmwv