{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-47783", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-05-20T05:43:46.363Z", "datePublished": "2026-05-20T05:43:46.976Z", "dateUpdated": "2026-05-20T12:49:58.195Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "memcached", "vendor": "memcached", "versions": [{"lessThan": "1.6.42", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-20T05:43:46.976Z"}, "references": [{"url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.6.42"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-20T12:49:50.253452Z", "id": "CVE-2026-47783", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T12:49:58.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-47783", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-05-20T12:49:50.253452Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-20T12:49:54.179Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "memcached", "product": "memcached", "versions": [{"status": "affected", "version": "0", "lessThan": "1.6.42", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-208", "description": "CWE-208 Observable Timing Discrepancy"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.6.42"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-05-20T05:43:46.976Z"}}}, "cveMetadata": {"cveId": "CVE-2026-47783", "state": "PUBLISHED", "dateUpdated": "2026-05-20T12:49:58.195Z", "dateReserved": "2026-05-20T05:43:46.363Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-05-20T05:43:46.976Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*", "matchCriteriaId": "4EA02C48-8B8D-4F73-9DA2-33B1535B1AF2", "versionEndExcluding": "1.6.42", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass."}], "id": "CVE-2026-47783", "lastModified": "2026-05-21T17:06:40.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-05-20T07:16:15.533", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/memcached/memcached/compare/1.6.41...1.6.42"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-208"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "memcached: memcached: Username enumeration via timing side channel", "id": "2480089", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480089"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-208", "details": ["A flaw was found in memcached. A remote attacker can exploit a timing side channel during Simple Authentication and Security Layer (SASL) password database authentication. This vulnerability allows an attacker to observe subtle timing differences, which could be used to enumerate valid usernames."], "name": "CVE-2026-47783", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "memcached", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-05-20T05:43:46Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-47783\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47783\nhttps://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed\nhttps://github.com/memcached/memcached/compare/1.6.41...1.6.42\nhttps://github.com/memcached/memcached/wiki/ReleaseNotes1642"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.6.42)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "memcached", "source": "cna", "vendor": "memcached"}, "product": "memcached", "vendor": "memcached"}], "created": "2026-05-20T07:30:25.075925+00:00", "title": "Timing Side\u2011Channel in SASL Username Lookup Causes Username Enumeration in Memcached", "updated": "2026-05-20T08:00:11.684180+00:00", "vendors": ["memcached", "memcached$PRODUCT$memcached"]}