VYPR
← All advisories
High severity8.1NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-47784

CVE-2026-47784

Description

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Memcached 1.6.41 and earlier use memcmp for SASL password verification, creating a timing side channel that can leak credential data.

Vulnerability

In memcached versions before 1.6.42, the SASL password database authentication function sasl_server_userdb_checkpass uses memcmp (not constant-time) to compare the provided password against the stored password hash or plaintext. This timing difference allows an attacker to perform a side-channel attack to recover the password by measuring response times. The affected code path is reachable when SASL authentication is enabled with the userdb back end. All memcached versions prior to 1.6.42 are impacted; the fix was introduced in commit d13f282b4bce33a9c33b8a1bbf07f12114160fed [1][2][3].

Exploitation

An attacker must be able to repeatedly send authentication attempts to a memcached instance that has SASL authentication enabled with a password database. No prior authentication is required; the attacker only needs network access to the memcached port. By measuring the time taken for each authentication response, the attacker can perform a timing attack to deduce the correct password character by character. The simplest and most realistic scenario involves a remote attacker who can observe response latencies with sufficient precision (e.g., over a low-latency LAN). [1][2][3]

Impact

Successful exploitation of this timing side channel allows an attacker to recover the SASL password for a target user. With the compromised credentials, the attacker can authenticate to memcached and gain access to cached data, potentially reading or modifying sensitive information stored in the cache, depending on the authorization policies in place. This undermines the confidentiality of the authentication mechanism. The impact is limited by the requirement for precise timing measurements and the network setup, but it is a realistic threat in environments with predictable network latency. [1][2][3]

Mitigation

The vulnerability is fixed in memcached version 1.6.42, released on 2026-05-18. Users should upgrade to version 1.6.42 or later [2]. The fix replaces memcmp with a constant-time comparison function safe_memcmp in the password check routine [3]. No workaround is available for earlier versions; upgrading is strongly advised. The issue does not appear on the CISA KEV list as of the publication date. [1][2][3]

References
  1. Comparing 1.6.41...1.6.42 · memcached/memcached
  2. ReleaseNotes1642
  3. Fix timing side-channel in SASL password database authentication · memcached/memcached@d13f282

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

1
d13f282b4bce

Fix timing side-channel in SASL password database authentication

https://github.com/memcached/memcachedSarthak MunshiMar 21, 2026via nvd-ref
commit
1 file changed · +10 11
  • sasl_defs.c+10 11 modified
    @@ -71,19 +71,18 @@ static int sasl_server_userdb_checkpass(sasl_conn_t *conn,
     char buffer[MAX_ENTRY_LEN];
     bool ok = false;
 
-    while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
-        if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
-            /* This is the correct user */
-            ++unmlen;
-            if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
-                (buffer[unmlen + passlen] == ':' || /* Additional tokens */
-                 buffer[unmlen + passlen] == '\n' || /* end of line */
-                 buffer[unmlen + passlen] == '\r'|| /* dos format? */
-                 buffer[unmlen + passlen] == '\0')) { /* line truncated */
+    while (1) {
+        memset(buffer, 0, sizeof(buffer));
+        if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+            break;
+        if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+            if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+                (buffer[unmlen + 1 + passlen] == ':' ||
+                 buffer[unmlen + 1 + passlen] == '\n' ||
+                 buffer[unmlen + 1 + passlen] == '\r' ||
+                 buffer[unmlen + 1 + passlen] == '\0')) {
                 ok = true;
             }
-
-            break;
         }
     }
     (void)fclose(pwfile);

Vulnerability mechanics

Root cause

"The password comparison function uses memcmp instead of a constant-time comparison, creating a timing side channel that leaks the password byte-by-byte."

Attack vector

An unauthenticated attacker with network access to the memcached server can exploit the timing side channel in SASL password database authentication [CWE-208]. By sending carefully crafted authentication attempts and measuring the response time, the attacker can infer whether each byte of the password guess is correct, because memcmp returns early on the first mismatching byte. The attacker must be able to make many authentication attempts and collect precise timing measurements, which is reflected in the CVSS attack complexity of High. Over successive iterations, the full password can be recovered byte-by-byte.

Affected code

The vulnerable code is in the sasl_server_userdb_checkpass function in sasl_defs.c [patch_id=653543]. This function reads a password database file line by line and uses memcmp to compare the provided username and password against the stored entries. The use of memcmp for password comparison introduces the timing side channel.

What the fix does

The patch replaces memcmp with safe_memcmp in both the username and password comparisons within sasl_server_userdb_checkpass [patch_id=653543]. safe_memcmp is a constant-time comparison function that always examines all bytes of the input, regardless of where the first difference occurs. This eliminates the timing discrepancy that previously allowed an attacker to determine how many initial bytes of the password were correct. The patch also adjusts the offset calculation (buffer + unmlen + 1 instead of buffer + unmlen) to account for the colon separator being skipped in the new logic.

Preconditions

  • configmemcached must be configured to use SASL password database authentication (the pwfile mechanism).
  • networkAttacker must have network access to the memcached server's SASL authentication endpoint.
  • inputAttacker must be able to send many authentication attempts with varying passwords to collect timing measurements.

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.