CVE-2026-47783
Description
In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Memcached before 1.6.42 has a timing side-channel in SASL authentication that allows username enumeration via password database check.
Vulnerability
In memcached versions before 1.6.42, the sasl_server_userdb_checkpass function used an early exit when a matching username was found during SASL password database authentication. This allowed an attacker to distinguish valid usernames from invalid ones based on response timing [2][3]. The vulnerable code path is triggered when SASL authentication is enabled and the password database is used for credential verification.
Exploitation
An attacker does not need prior authentication but must be able to send SASL authentication requests to a memcached instance that has SASL enabled. By measuring the time taken to receive a response for a known password attempt with different usernames, the attacker can determine which usernames exist in the password database. The timing difference arises because the loop exits as soon as a valid username is found, skipping the comparison of subsequent entries [3].
Impact
Successful exploitation allows an attacker to enumerate valid usernames in the SASL password database. This information disclosure can be used to perform targeted brute-force attacks on valid accounts, potentially leading to unauthorized access if weak passwords are used. The vulnerability does not directly expose passwords or allow remote code execution [2].
Mitigation
The vulnerability is fixed in memcached version 1.6.42, released on 2026-05-18 [2]. Upgrading to this version is strongly recommended. The fix replaces early-exit username matching with constant-time comparisons using safe_memcmp [3]. No workarounds are available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1d13f282b4bceFix timing side-channel in SASL password database authentication
1 file changed · +10 −11
sasl_defs.c+10 −11 modified@@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn, char buffer[MAX_ENTRY_LEN]; bool ok = false; - while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) { - if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') { - /* This is the correct user */ - ++unmlen; - if (memcmp(pass, buffer + unmlen, passlen) == 0 && - (buffer[unmlen + passlen] == ':' || /* Additional tokens */ - buffer[unmlen + passlen] == '\n' || /* end of line */ - buffer[unmlen + passlen] == '\r'|| /* dos format? */ - buffer[unmlen + passlen] == '\0')) { /* line truncated */ + while (1) { + memset(buffer, 0, sizeof(buffer)); + if (fgets(buffer, sizeof(buffer), pwfile) == NULL) + break; + if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') { + if (safe_memcmp(pass, buffer + unmlen + 1, passlen) && + (buffer[unmlen + 1 + passlen] == ':' || + buffer[unmlen + 1 + passlen] == '\n' || + buffer[unmlen + 1 + passlen] == '\r' || + buffer[unmlen + 1 + passlen] == '\0')) { ok = true; } - - break; } } (void)fclose(pwfile);
Vulnerability mechanics
Root cause
"The SASL password database authentication loop exits early upon finding a valid username, creating a measurable timing side-channel that leaks whether a username exists."
Attack vector
An unauthenticated attacker with network access to a memcached instance (before 1.6.42) that uses SASL password database authentication can measure the response time of authentication attempts. Because the original code [patch_id=653545] breaks out of the password file loop as soon as a valid username is found, attempts with valid usernames complete measurably faster than those with invalid usernames, which must scan the entire file. This timing discrepancy [CWE-208] allows an attacker to enumerate valid usernames remotely. Once a valid username is identified, the attacker can further exploit the non-constant-time memcmp() comparison to perform byte-by-byte password guessing via timing analysis.
Affected code
The vulnerability resides in the `sasl_server_userdb_checkpass()` function within `sasl_defs.c`. The function reads a password file line-by-line using `fgets()` and breaks out of the loop as soon as a matching username is found, creating a timing side-channel. The original code also uses `memcmp()` for both username and password comparisons, which is not constant-time.
What the fix does
The patch [patch_id=653545] removes the early break from the password file loop so the entire file is always scanned regardless of whether a valid username is found, eliminating the username-enumeration timing side-channel. It replaces memcmp() with safe_memcmp() for both username and password comparisons, providing constant-time behavior that does not exit early on the first differing byte. Additionally, the buffer is zeroed via memset() before each fgets() call, ensuring that comparisons past the stored password length hit known zero bytes rather than stale data. Together these changes ensure that authentication attempts take the same amount of time regardless of username validity or password correctness.
Preconditions
- configmemcached must be configured to use SASL password database authentication (sasl_server_userdb_checkpass)
- networkAttacker must have network access to send authentication requests to the memcached instance
- inputAttacker must be able to measure response timing with sufficient precision to distinguish the timing difference
Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.