CVE-2026-47783
Memcached SASL Timing Side Channel Vulnerability
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| memcached | memcached | 1.6.41 |
| memcached | memcached | to 1.6.42 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-47783 is a timing side-channel vulnerability in memcached versions before 1.6.42 affecting the SASL password database authentication mechanism.
The issue arises because the authentication code exits a loop as soon as a valid username is found, causing a timing difference that can be measured by an attacker.
Additionally, the password comparison used a function that returns early on the first differing byte, potentially leaking password bytes through timing analysis.
The vulnerability allows attackers to infer valid usernames and password bytes by analyzing response times during authentication attempts.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform timing attacks to discover valid usernames and parts of passwords used in SASL authentication on memcached.
By exploiting this, an attacker could gain unauthorized access or escalate privileges by obtaining authentication credentials.
The CVSS v3.1 base score of 8.1 indicates a high severity impact, including potential confidentiality, integrity, and availability compromises.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability involves a timing side-channel in the SASL password database authentication of memcached before version 1.6.42. Detection would require monitoring for timing discrepancies during SASL authentication attempts, which is complex and not straightforward with simple commands.
No specific detection commands or tools are provided in the available resources. However, one practical approach is to check the memcached version running on your system to determine if it is vulnerable.
- Run the command: memcached -h or memcached --version to check the installed version.
- If the version is earlier than 1.6.42, the system is potentially vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade memcached to version 1.6.42 or later, which includes fixes for this timing side-channel vulnerability and other security issues.
The update removes the early loop exit in SASL authentication, uses constant-time comparison functions, and clears buffers to prevent timing attacks.
- Download and install memcached version 1.6.42 from the official source.
- Restart the memcached service after upgrading to apply the fixes.
If immediate upgrade is not possible, consider restricting access to memcached to trusted networks and users to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in memcached before version 1.6.42 involves a timing side-channel in the SASL password database authentication mechanism that could leak valid usernames and password bytes through timing analysis.
Such a vulnerability could potentially impact compliance with common standards and regulations like GDPR and HIPAA because it may allow unauthorized attackers to infer sensitive authentication credentials, leading to unauthorized access to protected data.
Unauthorized access resulting from leaked credentials could lead to breaches of confidentiality, integrity, and availability of sensitive information, which are core concerns of these regulations.
Therefore, failure to address this vulnerability could result in non-compliance with security requirements mandated by these standards.
Upgrading to memcached version 1.6.42, which fixes this timing side-channel and other security issues, is strongly recommended to mitigate these risks.