CVE-2026-47784

Published May 20, 2026

Last updated 6 days ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-47784 is identified as a timing side-channel vulnerability affecting memcached versions prior to 1.6.42. The flaw resides within the `sasl_server_userdb_checkpass` function, which is responsible for checking passwords stored in the Simple Authentication and Security Layer (SASL) password database. This function utilizes the standard `memcmp` routine for password comparison. The core issue stems from `memcmp`'s behavior of returning as soon as it detects a byte mismatch. This characteristic allows an attacker on the network to measure subtle timing differences in the comparison process. By observing these variations, an attacker can progressively infer and recover password material one byte at a time. This vulnerability is categorized under CWE-208: Observable Timing Discrepancy.

Description: In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.
Source: cve@mitre.org
NVD status: Analyzed
Products: memcached

Risk scores

CVSS 3.1

Type: Secondary
Base score: 8.1
Impact score: 5.9
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

cve@mitre.org: CWE-208

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 8

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "4EA02C48-8B8D-4F73-9DA2-33B1535B1AF2",
            "versionEndExcluding": "1.6.42",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.