memcached up to 1.6.41 sasl_server_userdb_checkpass timing discrepancy
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.8 | $0-$5k | 0.00 |
Summary
A vulnerability, which was classified as problematic, was found in memcached up to 1.6.41. This affects the function sasl_server_userdb_checkpass. Executing a manipulation can lead to timing discrepancy.
This vulnerability appears as CVE-2026-47783. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
Details
A vulnerability has been found in memcached up to 1.6.41 and classified as problematic. This vulnerability affects the function sasl_server_userdb_checkpass. The manipulation with an unknown input leads to a timing discrepancy vulnerability. The CWE definition for the vulnerability is CWE-208. Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. As an impact it is known to affect confidentiality. CVE summarizes:
In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.
The advisory is shared for download at github.com. This vulnerability was named CVE-2026-47783 since 05/20/2026. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.
The vulnerability scanner Nessus provides a plugin with the ID 315754 (Linux Distros Unpatched Vulnerability : CVE-2026-47783), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 1.6.42 eliminates this vulnerability.
The vulnerability is also documented in the databases at Tenable (315754), EUVD (EUVD-2026-31065) and CERT Bund (WID-SEC-2026-1615). Once again VulDB remains the best source for vulnerability data.
Affected
- Debian Linux
- Open Source memcached
Product
Name
Version
- 1.6.0
- 1.6.1
- 1.6.2
- 1.6.3
- 1.6.4
- 1.6.5
- 1.6.6
- 1.6.7
- 1.6.8
- 1.6.9
- 1.6.10
- 1.6.11
- 1.6.12
- 1.6.13
- 1.6.14
- 1.6.15
- 1.6.16
- 1.6.17
- 1.6.18
- 1.6.19
- 1.6.20
- 1.6.21
- 1.6.22
- 1.6.23
- 1.6.24
- 1.6.25
- 1.6.26
- 1.6.27
- 1.6.28
- 1.6.29
- 1.6.30
- 1.6.31
- 1.6.32
- 1.6.33
- 1.6.34
- 1.6.35
- 1.6.36
- 1.6.37
- 1.6.38
- 1.6.39
- 1.6.40
- 1.6.41
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔒VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.9VulDB Meta Temp Score: 5.8
VulDB Base Score: 3.7
VulDB Temp Score: 3.6
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 8.1
CNA Vector (MITRE): 🔒
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploiting
Class: Timing discrepancyCWE: CWE-208 / CWE-203 / CWE-200
CAPEC: 🔒
ATT&CK: 🔒
Physical: No
Local: No
Remote: Yes
Availability: 🔒
Status: Not defined
EPSS Score: 🔒
EPSS Percentile: 🔒
Price Prediction: 🔍
Current Price Estimation: 🔒
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 315754
Nessus Name: Linux Distros Unpatched Vulnerability : CVE-2026-47783
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔒
Upgrade: memcached 1.6.42
Timeline
05/20/2026 Advisory disclosed05/20/2026 CVE reserved
05/20/2026 VulDB entry created
05/27/2026 VulDB entry last update
Sources
Product: github.comAdvisory: d13f282b4bce33a9c33b8a1bbf07f12114160fed
Status: Confirmed
CVE: CVE-2026-47783 (🔒)
GCVE (CVE): GCVE-0-2026-47783
GCVE (VulDB): GCVE-100-364828
EUVD: 🔒
CERT Bund: WID-SEC-2026-1615 - memcached: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Entry
Created: 05/20/2026 08:36Updated: 05/27/2026 10:14
Changes: 05/20/2026 08:36 (64), 05/20/2026 10:38 (1), 05/21/2026 18:17 (2), 05/22/2026 05:09 (7), 05/27/2026 10:14 (1)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.