{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-47783","assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","state":"PUBLISHED","assignerShortName":"mitre","dateReserved":"2026-05-20T05:43:46.363Z","datePublished":"2026-05-20T05:43:46.976Z","dateUpdated":"2026-06-30T12:10:00.694Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"memcached","vendor":"memcached","versions":[{"lessThan":"1.6.42","status":"affected","version":"0","versionType":"semver"}]}],"descriptions":[{"lang":"en","value":"In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-208","description":"CWE-208 Observable Timing Discrepancy","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre","dateUpdated":"2026-05-20T05:43:46.976Z"},"references":[{"url":"https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed"},{"url":"https://github.com/memcached/memcached/compare/1.6.41...1.6.42"},{"url":"https://github.com/memcached/memcached/wiki/ReleaseNotes1642"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"},"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:memcached:memcached:*:*:*:*:*:*:*:*","versionEndExcluding":"1.6.42"}]}]}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-20T12:49:50.253452Z","id":"CVE-2026-47783","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-20T12:49:58.195Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"}],"datePublic":"2026-05-20T05:43:46.976Z","descriptions":[{"lang":"en","value":"A flaw was found in memcached. A remote attacker can exploit a timing side channel during Simple Authentication and Security Layer (SASL) password database authentication. This vulnerability allows an attacker to observe subtle timing differences, which could be used to enumerate valid usernames."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.1,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-208","description":"Observable Timing Discrepancy","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-47783"},{"name":"RHBZ#2480089","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2480089"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-47783.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:27842"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:27862"}],"solutions":[{"lang":"en","value":"RHSA-2026:27842: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:27862: Red Hat Enterprise Linux AppStream (v. 9)"}],"timeline":[{"lang":"en","time":"2026-05-20T07:00:55.885Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-05-20T05:43:46.976Z","value":"Made public."}],"title":"memcached: memcached: Username enumeration via timing side channel","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:10:00.694Z"}}]}}