CVE-2026-47784 Overview
CVE-2026-47784 is a timing side-channel vulnerability in memcached versions before 1.6.42. The flaw resides in the sasl_server_userdb_checkpass function, which uses the standard memcmp routine to compare passwords stored in the Simple Authentication and Security Layer (SASL) password database. Because memcmp returns as soon as it detects a byte mismatch, the comparison time leaks information about how many leading bytes match the stored credential. An attacker on the network can measure these timing differences and progressively recover password material. The issue is tracked under CWE-208: Observable Timing Discrepancy.
Critical Impact
Network-positioned attackers can recover SASL authentication credentials by measuring response timing, leading to full compromise of memcached confidentiality, integrity, and availability.
Affected Products
- memcached versions prior to 1.6.42
- Deployments using SASL password database authentication (sasl_defs.c)
- Applications relying on memcached SASL for client authentication
Discovery Timeline
- 2026-05-20 - CVE-2026-47784 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-47784
Vulnerability Analysis
The vulnerability is a classic timing side channel in credential verification. When a client authenticates via SASL, memcached reads each line of the password file and compares the supplied username and password against stored values. The original implementation called memcmp(pass, buffer + unmlen, passlen), which exits at the first differing byte. The elapsed time between request and response correlates with the number of matching leading bytes, allowing an attacker to infer one byte at a time.
A remote attacker who can issue authentication attempts and accurately measure server response time can mount a byte-by-byte password recovery attack. Once a valid SASL credential is recovered, the attacker gains authenticated access to cached data, which often includes session tokens, application state, and other sensitive material.
Root Cause
The root cause is the use of a non-constant-time comparison primitive (memcmp) inside sasl_server_userdb_checkpass in sasl_defs.c. Comparing secret material with memcmp violates the principle that cryptographic and credential comparisons must complete in time independent of input contents.
Attack Vector
Exploitation requires network access to the memcached SASL authentication interface and the ability to perform repeated authentication attempts with statistical timing analysis. High attack complexity reflects the need for stable network conditions and many measurements to overcome jitter, but no privileges or user interaction are required.
char buffer[MAX_ENTRY_LEN];
bool ok = false;
- while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
- if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
- /* This is the correct user */
- ++unmlen;
- if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
- (buffer[unmlen + passlen] == ':' || /* Additional tokens */
- buffer[unmlen + passlen] == '\n' || /* end of line */
- buffer[unmlen + passlen] == '\r'|| /* dos format? */
- buffer[unmlen + passlen] == '\0')) { /* line truncated */
+ while (1) {
+ memset(buffer, 0, sizeof(buffer));
+ if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+ break;
+ if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+ if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+ (buffer[unmlen + 1 + passlen] == ':' ||
+ buffer[unmlen + 1 + passlen] == '\n' ||
+ buffer[unmlen + 1 + passlen] == '\r' ||
+ buffer[unmlen + 1 + passlen] == '\0')) {
ok = true;
}
-
- break;
}
}
(void)fclose(pwfile);
The patch replaces memcmp with a constant-time safe_memcmp helper and removes the early break, ensuring the comparison loop runs in time independent of input contents. Source: memcached commit d13f282b.
Detection Methods for CVE-2026-47784
Indicators of Compromise
- High volumes of SASL authentication attempts from a single source against a memcached instance
- Repeated failed authentication entries in memcached logs with incremental variation in submitted credentials
- Anomalous external connections to memcached TCP port 11211 from non-application hosts
Detection Strategies
- Correlate authentication failure spikes against the same memcached node over short time windows to identify timing-attack reconnaissance
- Alert on memcached SASL traffic originating from networks that are not part of the approved application tier
- Inventory memcached deployments and flag any binary reporting a version earlier than 1.6.42
Monitoring Recommendations
- Forward memcached logs to a centralized analytics platform and track authentication failure rates per source IP
- Monitor network flow data for sustained, high-frequency connections to port 11211 consistent with timing measurement loops
- Track package inventory for memcached versions and trigger alerts when versions prior to 1.6.42 are detected
How to Mitigate CVE-2026-47784
Immediate Actions Required
- Upgrade memcached to version 1.6.42 or later on all affected hosts
- Restrict network access to memcached so that only trusted application servers can reach the SASL authentication interface
- Rotate any SASL credentials that may have been used on vulnerable instances exposed to untrusted networks
Patch Information
The fix is included in memcached 1.6.42. The remediation introduces a constant-time comparison routine (safe_memcmp) in sasl_defs.c and removes the short-circuit break that exposed timing differences. Review the memcached 1.6.42 release notes, the version comparison 1.6.41...1.6.42, and the patch commit d13f282b.
Workarounds
- Bind memcached to loopback or to a private management network when SASL is not required by remote clients
- Place memcached behind a host-based firewall that limits source addresses permitted to perform authentication
- Disable SASL authentication and rely on network segmentation until the upgrade to 1.6.42 is deployed
# Verify installed memcached version and upgrade
memcached -V
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade memcached
# RHEL/Rocky/Alma
sudo dnf upgrade memcached
# Restart and confirm the patched version
sudo systemctl restart memcached
memcached -V # expect 1.6.42 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
