UBUNTU-CVE-2026-47783

Details

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

Affected Packages

memcached

Ubuntu 20.04 LTS

Affected versions:

1.5.10-0ubuntu31.5.10-0ubuntu41.5.19-21.5.20-11.5.22-1ubuntu11.5.22-21.5.22-2ubuntu0.11.5.22-2ubuntu0.21.5.22-2ubuntu0.3

memcached

Ubuntu 22.04 LTS

Affected versions:

1.6.12+dfsg-2ubuntu11.6.12+dfsg-31.6.12+dfsg-41.6.13-11.6.14-11.6.14-1ubuntu0.11.6.9+dfsg-1build1

memcached

Ubuntu 24.04 LTS

Affected versions:

1.6.21-11.6.22-11.6.23-11.6.24-1build11.6.24-1build3

memcached

Ubuntu 25.10

Affected versions:

1.6.37-11.6.38-11.6.38-1build1

memcached

Ubuntu 26.04 LTS

Affected versions:

1.6.38-1build11.6.39-21.6.40-1

memcached

Ubuntu Pro 16.04 LTS

Affected versions:

1.4.24-2ubuntu11.4.25-1ubuntu21.4.25-2ubuntu11.4.25-2ubuntu1.21.4.25-2ubuntu1.31.4.25-2ubuntu1.41.4.25-2ubuntu1.51.4.25-2ubuntu1.5+esm1

memcached

Ubuntu Pro 18.04 LTS

Affected versions:

1.4.33-1ubuntu31.5.4-1ubuntu21.5.4-1ubuntu31.5.6-0ubuntu11.5.6-0ubuntu1.11.5.6-0ubuntu1.21.5.6-0ubuntu1.2+esm1

References

REPORT

https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed

REPORT

https://github.com/memcached/memcached/compare/1.6.41...1.6.42

REPORT

https://github.com/memcached/memcached/wiki/ReleaseNotes1642

REPORT

https://ubuntu.com/security/CVE-2026-47783

REPORT

https://www.cve.org/CVERecord?id=CVE-2026-47783