CVE-2026-47783 memcached CVE debrief

Who should care

Operators and security teams running memcached with SASL password database authentication should treat this as a priority fix, especially where the service is network-accessible or timing differences could be observed.

Technical summary

The vulnerability is a username-enumeration timing leak in memcached's SASL password database authentication path. Because the loop stops immediately when a valid username is found, response timing can vary based on whether a username exists, which aligns with CWE-208. The upstream remediation is associated with memcached 1.6.42, with NVD pointing to the fixing commit, the 1.6.41...1.6.42 comparison, and the 1.6.42 release notes.

Defensive priority

High. Upgrade memcached to 1.6.42 or later as soon as practical if SASL password database authentication is enabled, because the flaw can expose authentication metadata through timing differences without requiring user interaction.

Recommended defensive actions

• Upgrade memcached to version 1.6.42 or later.
• Review the upstream 1.6.42 release notes and the 1.6.41...1.6.42 comparison to confirm the fix is present in your build.
• If SASL password database authentication is enabled, minimize exposure of the service to untrusted network observers.
• Audit fleets and containers for older memcached binaries so patched versions are actually deployed everywhere.

Evidence notes

This debrief is based on the supplied CVE description and official references. The record states: memcached before 1.6.42, timing side channel in SASL password database authentication, and CWE-208. NVD metadata shows CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H and status 'Undergoing Analysis' at the supplied modified time. Official references include the upstream commit d13f282b4bce33a9c33b8a1bbf07f12114160fed, the 1.6.41...1.6.42 comparison, and the 1.6.42 release notes.

Official resources