{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47784", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-05-20T05:45:37.209Z", "datePublished": "2026-05-20T05:45:37.864Z", "dateUpdated": "2026-05-20T12:21:02.894Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "memcached", "vendor": "memcached", "versions": [{"lessThan": "1.6.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-20T05:45:37.864Z"}, "references": [{"url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.42"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-20T12:20:56.239253Z", "id": "CVE-2026-47784", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T12:21:02.894Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47784", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-20T12:20:56.239253Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T12:20:59.429Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "memcached", "product": "memcached", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.42", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.6.42"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-20T05:45:37.864Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47784", "state": "PUBLISHED", "dateUpdated": "2026-05-20T12:21:02.894Z", "dateReserved": "2026-05-20T05:45:37.209Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-05-20T05:45:37.864Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EA02C48-8B8D-4F73-9DA2-33B1535B1AF2", "versionEndExcluding": "1.6.42", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass."}], "id": "CVE-2026-47784", "lastModified": "2026-05-21T17:06:33.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-05-20T07:16:15.733", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "memcached: Memcached: Information disclosure via timing side channel", "id": "2480088", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480088"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-208", "details": ["A flaw was found in memcached. This vulnerability involves a timing side channel during SASL (Simple Authentication and Security Layer) password database authentication. A remote attacker could potentially exploit the timing differences in the password verification process to infer sensitive password data. This could lead to unauthorized access to the memcached instance."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to the memcached service to only trusted clients and networks using firewall rules. If SASL authentication is not strictly required, consider disabling it. If SASL is necessary, ensure that strong, unique passwords are used and rotated regularly.\nExample firewall rule (adjust port and source as needed):\n`firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"<TRUSTED_IP_RANGE>\" port port=\"11211\" protocol=\"tcp\" accept'`\n`firewall-cmd --reload`\nTo bind memcached to localhost, edit `/etc/sysconfig/memcached` and set `OPTIONS=\"-l 127.0.0.1\"`. Restart the memcached service:\n`systemctl restart memcached`\nNote that restarting the memcached service will clear all cached data."}, "name": "CVE-2026-47784", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:hummingbird:1", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Hardened Images"}], "public_date": "2026-05-20T05:45:37Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47784\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47784\nhttps://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed\nhttps://github.com/memcached/memcached/compare/1.6.41...1.6.42\nhttps://github.com/memcached/memcached/wiki/ReleaseNotes1642"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.6.42)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "memcached", "source": "cna", "vendor": "memcached"}, "product": "memcached", "vendor": "memcached"}], "created": "2026-05-20T07:30:25.322659+00:00", "title": "Timing Side Channel in Memcached SASL Authentication", "updated": "2026-05-20T09:30:15.681758+00:00", "vendors": ["memcached", "memcached$PRODUCT$memcached"]}