CVE-2026-47784 memcached CVE debrief

Who should care

Operators running memcached with SASL password database authentication enabled, especially internet-facing deployments; security teams responsible for service hardening; and package or platform maintainers who distribute memcached.

Technical summary

The vulnerability is classified as CWE-208 (Observable Timing Discrepancy). In memcached before 1.6.42, sasl_server_userdb_checkpass relies on memcmp when checking SASL password database credentials. Because memcmp can stop comparing at the first mismatch, an attacker may be able to infer password data from timing differences. The linked memcached 1.6.42 release materials and commit indicate the issue was addressed in that release line.

Defensive priority

High. This affects authentication handling and may expose secret material through timing behavior, so remediation should be prioritized for any deployment using SASL password database authentication.

Recommended defensive actions

• Upgrade memcached to 1.6.42 or later.
• If immediate upgrading is not possible, reduce exposure of the SASL-authenticated service to untrusted networks.
• Confirm whether SASL password database authentication is enabled in each deployment and disable it where it is not required.
• Review the linked memcached commit and 1.6.42 release notes to verify the fix is present in your packaged build.
• Reassess configurations and access controls for any externally reachable memcached instance using SASL authentication.

Evidence notes

Source data ties the issue to memcached before 1.6.42 and identifies the root cause as memcmp usage in sasl_server_userdb_checkpass. The NVD record lists CWE-208 and a CVSS vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The NVD snapshot in the supplied corpus was published on 2026-05-20 and marked "Undergoing Analysis" at the time of retrieval.

Official resources