CVE-2026-47783

HIGH

memcached < 1.6.42 - Observable Timing Discrepancy in SASL Username Validation

Title source: llm

Description

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

References (3)

Core 3

Core References

https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed

View Patch ZIP pw:eip

https://github.com/memcached/memcached/compare/1.6.41...1.6.42

https://github.com/memcached/memcached/wiki/ReleaseNotes1642

Scores

CVSS v3 8.1

EPSS 0.0114

EPSS Percentile 62.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-208

Status published

Products (1)

memcached/memcached < 1.6.42 (2 CPE variants)

Published May 20, 2026

Tracked Since May 20, 2026