CVE-2026-47784: Memcached Timing Side Channel Exposes Passwords
The National Vulnerability Database (NVD) reports CVE-2026-47784, a high-severity timing side channel vulnerability in memcached versions prior to 1.6.42. This flaw, assigned a CVSS score of 8.1, stems from the use of memcmp in the sasl_server_userdb_checkpass function, which allows an attacker to discern password data for SASL authentication.
This isn’t a simple bug; it’s a critical design oversight. The timing differences in memcmp’s execution, depending on how many bytes match between the provided and actual password, can be exploited by a determined attacker. While not a direct remote code execution, it provides an avenue for password enumeration, making brute-force attacks significantly more efficient and feasible against memcached instances configured with SASL authentication.
Defenders need to understand the implications: if your memcached instances are exposed and using SASL, this side channel is a clear path to credential compromise. The fix is straightforward: upgrade to memcached version 1.6.42 or later immediately. The patch specifically addresses this memcmp issue, closing a subtle but dangerous information leak.
What This Means For You
- If your organization relies on memcached with SASL authentication, you are directly exposed to CVE-2026-47784. This timing side channel allows attackers to deduce password data, making your cached data and potentially connected systems vulnerable. Prioritize patching all memcached instances to version 1.6.42 or newer to eliminate this risk.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-47784: Memcached SASL Password Timing Side Channel
title: CVE-2026-47784: Memcached SASL Password Timing Side Channel
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
This rule detects the use of memcached, which is the affected service in CVE-2026-47784. The vulnerability lies in the SASL authentication mechanism where a timing side channel in memcmp can leak password information. This rule serves as a baseline indicator that the vulnerable service is in use and potentially exposed.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-47784/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: authentication
detection:
selection:
Image|contains:
- 'memcached'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-47784 | Information Disclosure | memcached before 1.6.42 |
| CVE-2026-47784 | Cryptographic Failure | SASL password database authentication timing side channel |
| CVE-2026-47784 | Information Disclosure | Vulnerable function: sasl_server_userdb_checkpass using memcmp |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...