Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47784

CVE-2026-47784: memcached Timing Side Channel Vulnerability

CVE-2026-47784 is a timing side channel vulnerability in memcached that exposes password data during SASL authentication. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-47784 Overview

CVE-2026-47784 is a timing side-channel vulnerability in memcached versions before 1.6.42. The flaw resides in the sasl_server_userdb_checkpass function, which uses the standard memcmp routine to compare passwords stored in the Simple Authentication and Security Layer (SASL) password database. Because memcmp returns as soon as it detects a byte mismatch, the comparison time leaks information about how many leading bytes match the stored credential. An attacker on the network can measure these timing differences and progressively recover password material. The issue is tracked under CWE-208: Observable Timing Discrepancy.

Critical Impact

Network-positioned attackers can recover SASL authentication credentials by measuring response timing, leading to full compromise of memcached confidentiality, integrity, and availability.

Affected Products

  • memcached versions prior to 1.6.42
  • Deployments using SASL password database authentication (sasl_defs.c)
  • Applications relying on memcached SASL for client authentication

Discovery Timeline

  • 2026-05-20 - CVE-2026-47784 published to NVD
  • 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-47784

Vulnerability Analysis

The vulnerability is a classic timing side channel in credential verification. When a client authenticates via SASL, memcached reads each line of the password file and compares the supplied username and password against stored values. The original implementation called memcmp(pass, buffer + unmlen, passlen), which exits at the first differing byte. The elapsed time between request and response correlates with the number of matching leading bytes, allowing an attacker to infer one byte at a time.

A remote attacker who can issue authentication attempts and accurately measure server response time can mount a byte-by-byte password recovery attack. Once a valid SASL credential is recovered, the attacker gains authenticated access to cached data, which often includes session tokens, application state, and other sensitive material.

Root Cause

The root cause is the use of a non-constant-time comparison primitive (memcmp) inside sasl_server_userdb_checkpass in sasl_defs.c. Comparing secret material with memcmp violates the principle that cryptographic and credential comparisons must complete in time independent of input contents.

Attack Vector

Exploitation requires network access to the memcached SASL authentication interface and the ability to perform repeated authentication attempts with statistical timing analysis. High attack complexity reflects the need for stable network conditions and many measurements to overcome jitter, but no privileges or user interaction are required.

c
     char buffer[MAX_ENTRY_LEN];
     bool ok = false;
 
-    while ((fgets(buffer, sizeof(buffer), pwfile)) != NULL) {
-        if (memcmp(user, buffer, unmlen) == 0 && buffer[unmlen] == ':') {
-            /* This is the correct user */
-            ++unmlen;
-            if (memcmp(pass, buffer + unmlen, passlen) == 0 &&
-                (buffer[unmlen + passlen] == ':' || /* Additional tokens */
-                 buffer[unmlen + passlen] == '\n' || /* end of line */
-                 buffer[unmlen + passlen] == '\r'|| /* dos format? */
-                 buffer[unmlen + passlen] == '\0')) { /* line truncated */
+    while (1) {
+        memset(buffer, 0, sizeof(buffer));
+        if (fgets(buffer, sizeof(buffer), pwfile) == NULL)
+            break;
+        if (safe_memcmp(user, buffer, unmlen) && buffer[unmlen] == ':') {
+            if (safe_memcmp(pass, buffer + unmlen + 1, passlen) &&
+                (buffer[unmlen + 1 + passlen] == ':' ||
+                 buffer[unmlen + 1 + passlen] == '\n' ||
+                 buffer[unmlen + 1 + passlen] == '\r' ||
+                 buffer[unmlen + 1 + passlen] == '\0')) {
                 ok = true;
             }
-
-            break;
         }
     }
     (void)fclose(pwfile);

The patch replaces memcmp with a constant-time safe_memcmp helper and removes the early break, ensuring the comparison loop runs in time independent of input contents. Source: memcached commit d13f282b.

Detection Methods for CVE-2026-47784

Indicators of Compromise

  • High volumes of SASL authentication attempts from a single source against a memcached instance
  • Repeated failed authentication entries in memcached logs with incremental variation in submitted credentials
  • Anomalous external connections to memcached TCP port 11211 from non-application hosts

Detection Strategies

  • Correlate authentication failure spikes against the same memcached node over short time windows to identify timing-attack reconnaissance
  • Alert on memcached SASL traffic originating from networks that are not part of the approved application tier
  • Inventory memcached deployments and flag any binary reporting a version earlier than 1.6.42

Monitoring Recommendations

  • Forward memcached logs to a centralized analytics platform and track authentication failure rates per source IP
  • Monitor network flow data for sustained, high-frequency connections to port 11211 consistent with timing measurement loops
  • Track package inventory for memcached versions and trigger alerts when versions prior to 1.6.42 are detected

How to Mitigate CVE-2026-47784

Immediate Actions Required

  • Upgrade memcached to version 1.6.42 or later on all affected hosts
  • Restrict network access to memcached so that only trusted application servers can reach the SASL authentication interface
  • Rotate any SASL credentials that may have been used on vulnerable instances exposed to untrusted networks

Patch Information

The fix is included in memcached 1.6.42. The remediation introduces a constant-time comparison routine (safe_memcmp) in sasl_defs.c and removes the short-circuit break that exposed timing differences. Review the memcached 1.6.42 release notes, the version comparison 1.6.41...1.6.42, and the patch commit d13f282b.

Workarounds

  • Bind memcached to loopback or to a private management network when SASL is not required by remote clients
  • Place memcached behind a host-based firewall that limits source addresses permitted to perform authentication
  • Disable SASL authentication and rely on network segmentation until the upgrade to 1.6.42 is deployed
bash
# Verify installed memcached version and upgrade
memcached -V
# Debian/Ubuntu
sudo apt-get update && sudo apt-get install --only-upgrade memcached
# RHEL/Rocky/Alma
sudo dnf upgrade memcached
# Restart and confirm the patched version
sudo systemctl restart memcached
memcached -V   # expect 1.6.42 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.