VYPR
← All advisories
High severity7.5NVD Advisory· Published May 24, 2026

CVE-2026-48829

CVE-2026-48829

Description

In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GNU SASL DIGEST-MD5 parser has a NULL pointer dereference that crashes clients and servers via crafted input without '=' in known tokens.

Vulnerability

In GNU SASL before version 2.2.3, the DIGEST-MD5 implementation contains a NULL pointer dereference in the lib/digest-md5/getsubopt.c file. When the parser encounters a known token (e.g., nonce) without an accompanying = character, the valuep pointer is set to NULL [1]. Callers in parser.cparse_response, parse_challenge, and parse_finish — do not check for NULL before passing value to functions such as strdup(), strlen(), strcmp(), or strtoul(), or dereferencing the pointer directly. This affects all versions from 0.0.0 up to and including 2.2.2 [2].

Exploitation

An unauthenticated attacker can trigger the vulnerability by sending a malformed DIGEST-MD5 token string that matches a known token but lacks the = character [1]. For example, the 6-byte payload nonce, is sufficient to crash a server or client that processes the message. No authentication or special network position is required; the attacker only needs to be able to deliver the crafted input to a GNU SASL-based application during the DIGEST-MD5 exchange. The provided proof of concept demonstrates a segmentation fault when the server calls strdup(value) on NULL [1].

Impact

Successful exploitation causes a NULL pointer dereference, leading to an immediate denial of service (DoS) via application crash (SIGSEGV). The advisory identifies at least 19 different code locations where this dereference can occur [1]. The vulnerability is reachable before authentication, so it can be used to disrupt SASL services relying on DIGEST-MD5. No information disclosure or code execution is indicated in the available references.

Mitigation

The fix was included in GNU SASL version 2.2.3, released on 2026-05-13 [2]. Users should upgrade to 2.2.3 or later. As a workaround, administrators can disable DIGEST-MD5 support in their applications or apply the patch from commit da9b5ae2962b014879e4a406c3b38f25aa70e97a [3].

References
  1. DIGEST-MD5 解析器 NULL 指针解引用漏洞报告
  2. [SECURITY ADVISORY] GNU SASL Security Advisory: NULL pointer dereference
  3. Cookie monster!

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
da9b5ae2962b
https://codeberg.org/gsasl/gsaslvia body-scan
commit

Vulnerability mechanics

Root cause

"Missing NULL check in getsubopt.c when a known DIGEST-MD5 token appears without an '=' character, causing the value pointer to be set to NULL and subsequently dereferenced by callers."

Attack vector

An unauthenticated attacker sends a malformed DIGEST-MD5 token that lacks the `=` character (e.g., the 6-byte string `nonce,`) during a SASL exchange [ref_id=1]. On the server side, this occurs when the attacker sends a crafted response during the AUTHENTICATE command; on the client side, a malicious server can send a malformed challenge [ref_id=1]. The parser in `getsubopt.c` matches the known token but sets the value pointer to NULL, and the caller dereferences it without a NULL check, causing an immediate crash [ref_id=1]. No authentication is required, and the attack is remotely exploitable over the network [ref_id=2].

Affected code

The vulnerability resides in `lib/digest-md5/getsubopt.c` at line 74, where the expression `*valuep = vstart != endp ? vstart + 1 : NULL` sets `valuep` to NULL when a known token appears without an accompanying `=` character [ref_id=1]. The callers in `lib/digest-md5/parser.c` (`parse_response`, `parse_challenge`, `parse_finish`) then use this NULL value without checking — passing it directly to `strdup()`, `strlen()`, `strcmp()`, `strtoul()`, or dereferencing it — causing SIGSEGV at 19 different locations [ref_id=1].

What the fix does

The fix changes line 74 of `lib/digest-md5/getsubopt.c` from `*valuep = vstart != endp ? vstart + 1 : NULL;` to `*valuep = vstart != endp ? vstart + 1 : "";` [ref_id=1]. By returning an empty string instead of NULL, the value pointer is never NULL, so the callers no longer crash when they pass it to `strdup()`, `strlen()`, `strcmp()`, or `strtoul()` [ref_id=1]. The existing validation logic in each caller (e.g., `strlen` checks, `strcmp` checks) already rejects empty strings, so no other code changes are needed [ref_id=1]. The advisory recommends upgrading to GNU SASL version 2.2.3 or later, or applying the patch to older releases [ref_id=2].

Preconditions

  • networkThe attacker must be able to initiate a DIGEST-MD5 SASL exchange with the target (no prior authentication required)
  • configThe target software must use libgsasl with DIGEST-MD5 enabled
  • inputThe attacker sends a known token (e.g., 'nonce') without an accompanying '=' character

Reproduction

Compile and run the following PoC against any libgsasl installation:

```c #include

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.