Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-20T05:45:37 memcached: Memcached: Information disclosure via timing side channel 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-208

A flaw was found in memcached. This vulnerability involves a timing side channel during SASL (Simple Authentication and Security Layer) password database authentication. A remote attacker could potentially exploit the timing differences in the password verification process to infer sensitive password data. This could lead to unauthorized access to the memcached instance.

To mitigate this issue, restrict network access to the memcached service to only trusted clients and networks using firewall rules. If SASL authentication is not strictly required, consider disabling it. If SASL is necessary, ensure that strong, unique passwords are used and rotated regularly. Example firewall rule (adjust port and source as needed): `firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="<TRUSTED_IP_RANGE>" port port="11211" protocol="tcp" accept'` `firewall-cmd --reload` To bind memcached to localhost, edit `/etc/sysconfig/memcached` and set `OPTIONS="-l 127.0.0.1"`. Restart the memcached service: `systemctl restart memcached` Note that restarting the memcached service will clear all cached data. Red Hat Enterprise Linux 10 Fix deferred memcached Red Hat Enterprise Linux 6 Fix deferred memcached Red Hat Enterprise Linux 7 Fix deferred memcached Red Hat Enterprise Linux 8 Fix deferred memcached Red Hat Enterprise Linux 9 Fix deferred memcached Red Hat Hardened Images Affected memcached https://www.cve.org/CVERecord?id=CVE-2026-47784 https://nvd.nist.gov/vuln/detail/CVE-2026-47784 https://github.com/memcached/memcached/commit/d13f282b4bce33a9c33b8a1bbf07f12114160fed https://github.com/memcached/memcached/compare/1.6.41...1.6.42 https://github.com/memcached/memcached/wiki/ReleaseNotes1642