{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-20T05:45:37Z",
  "bugzilla" : {
    "description" : "memcached: Memcached: Information disclosure via timing side channel",
    "id" : "2480088",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2480088"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-208",
  "details" : [ "In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.", "A flaw was found in memcached. This vulnerability involves a timing side channel during SASL (Simple Authentication and Security Layer) password database authentication. A remote attacker could potentially exploit the timing differences in the password verification process to infer sensitive password data. This could lead to unauthorized access to the memcached instance." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-04T00:00:00Z",
    "advisory" : "RHSA-2026:23261",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "memcached-main-1.6.42-0.1.hum1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "memcached",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Fix deferred",
    "package_name" : "memcached",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "memcached",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "memcached",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "memcached",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-47784\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-47784\nhttps://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed\nhttps://github.com/memcached/memcached/compare/1.6.41...1.6.42\nhttps://github.com/memcached/memcached/wiki/ReleaseNotes1642" ],
  "name" : "CVE-2026-47784",
  "mitigation" : {
    "value" : "To mitigate this issue, restrict network access to the memcached service to only trusted clients and networks using firewall rules. If SASL authentication is not strictly required, consider disabling it. If SASL is necessary, ensure that strong, unique passwords are used and rotated regularly.\nExample firewall rule (adjust port and source as needed):\n`firewall-cmd --permanent --add-rich-rule='rule family=\"ipv4\" source address=\"<TRUSTED_IP_RANGE>\" port port=\"11211\" protocol=\"tcp\" accept'`\n`firewall-cmd --reload`\nTo bind memcached to localhost, edit `/etc/sysconfig/memcached` and set `OPTIONS=\"-l 127.0.0.1\"`. Restart the memcached service:\n`systemctl restart memcached`\nNote that restarting the memcached service will clear all cached data.",
    "lang" : "en:us"
  },
  "csaw" : false
}