CVE-2026-48829 GNU CVE debrief

Who should care

Organizations running GNU SASL-based services with DIGEST-MD5 authentication enabled, particularly mail servers (SMTP, IMAP, POP3), XMPP servers, and other SASL-authenticated applications. System administrators maintaining Debian-based systems should prioritize updates per DSA-2026-00182. Developers integrating GNU SASL should review their authentication mechanism configurations and update dependencies.

Technical summary

The vulnerability exists in the DIGEST-MD5 mechanism's option parsing code within lib/digest-md5/getsubopt.c. When processing authentication tokens, the code fails to validate that a token includes a required '=' character before dereferencing pointers, resulting in a NULL pointer dereference. Both client and server code paths are affected. An attacker can trigger this by sending a crafted DIGEST-MD5 authentication exchange with a malformed token. The CVSS 3.1 score of 7.5 (HIGH) reflects the network accessibility, low attack complexity, and high availability impact with no confidentiality or integrity effects.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade GNU SASL to version 2.2.3 or later
• Apply distribution security updates for affected packages (Debian DSA-2026-00182)
• Review applications using GNU SASL for DIGEST-MD5 authentication and prioritize patching for internet-facing services
• Monitor GNU SASL help mailing list for additional guidance

Evidence notes

The vulnerability is confirmed through official GNU SASL project communications and a code commit on Codeberg. The fix commit (da9b5ae2962b014879e4a406c3b38f25aa70e97a) addresses the NULL pointer dereference in getsubopt.c. Debian has issued a security advisory (DSA-2026-00182) indicating coordinated disclosure and patch availability. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) confirms network attack vector with low complexity and high availability impact. CWE-476 (NULL Pointer Dereference) is the assigned weakness classification.

Official resources