CVE-2026-47783: memcached Timing Side Channel Vulnerability in SASL Authentication

hello@craftedsignal.io — Thu, 21 May 2026 07:13:41 +0000

CVE-2026-47783 is a security vulnerability affecting memcached versions prior to 1.6.42. The vulnerability lies in the SASL (Simple Authentication and Security Layer) password database authentication mechanism. Specifically, the sasl_server_userdb_checkpass function prematurely exits a loop upon encountering a valid username. This behavior introduces a timing side channel, where the time taken to process an authentication request can reveal information about the existence of usernames in the database. An attacker could exploit this timing difference to enumerate valid usernames. This vulnerability impacts systems where memcached is configured to use SASL authentication with a password database, and successful exploitation could lead to unauthorized information disclosure.

Attack Chain

Attacker sends an authentication request with a potential username.
The sasl_server_userdb_checkpass function in memcached is invoked.
The function iterates through the list of valid usernames.
If a matching username is found, the loop exits immediately.
The time taken for the function to complete is measured by the attacker.
The attacker repeats the process with different usernames, observing the timing variations.
By analyzing the timing data, the attacker identifies usernames that cause a faster response.
The faster response indicates a valid username, allowing the attacker to enumerate valid usernames.

Impact

Successful exploitation of CVE-2026-47783 allows an attacker to enumerate valid usernames in the memcached SASL password database. While it does not directly expose passwords, knowing valid usernames significantly weakens the security posture. This information can then be used in subsequent brute-force or credential-stuffing attacks against the memcached instance or other services where the same usernames are used. The impact is heightened in environments where memcached stores sensitive data and is protected by SASL authentication.

Recommendation

Upgrade memcached to version 1.6.42 or later to patch CVE-2026-47783.
Monitor memcached logs for unusual authentication patterns or attempts to enumerate usernames. Deploy the Sigma rule Detect Memcached SASL Authentication Username Enumeration to detect potential exploitation attempts.
Consider implementing rate limiting on authentication attempts to mitigate brute-force attacks that could leverage enumerated usernames.
If possible, migrate away from SASL password database authentication to more secure authentication mechanisms like certificate-based authentication.

OpenTelemetry eBPF Instrumentation (OBI) Memcached Integer Overflow DoS

hello@craftedsignal.io — Mon, 18 May 2026 20:22:53 +0000

A denial-of-service vulnerability exists in the memcached text protocol parser within OpenTelemetry eBPF Instrumentation (OBI). The vulnerability resides in the pkg/ebpf/common/memcached_detect_transform.go file, where the parser lacks proper bounds checking when handling the field of memcached storage commands (set, add, replace, append, prepend, cas). By sending a crafted memcached request with an extremely large value (e.g., math.MaxInt or math.MaxInt-1), an attacker can cause an integer overflow during payload length calculation. This overflow results in a negative payload length being passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go, triggering a runtime panic and crashing the OBI process. This vulnerability affects OBI versions 0.7.0 to 0.8.x, allowing a remote attacker to disrupt telemetry collection.

Attack Chain

Attacker identifies an OBI instance instrumenting memcached traffic.
Attacker crafts a memcached storage command (e.g., set) with a large field (close to math.MaxInt).
Attacker sends the crafted memcached storage command to a service instrumented by the vulnerable OBI instance on port 11211.
OBI’s memcached request parser (memcachedCommandBytesField in pkg/ebpf/common/memcached_detect_transform.go) receives the crafted command and parses the field using strconv.Atoi.
OBI calculates the payload length by adding the value to the length of the trailing \r\n delimiter.
Due to the large value, the addition overflows, resulting in a negative payloadLen.
The negative payloadLen is passed to LargeBufferReader.Peek in pkg/internal/largebuf/large_buffer.go.
LargeBufferReader.Peek attempts to slice a buffer with the negative length, causing a Go runtime panic and crashing the OBI process.

Impact

Successful exploitation of this vulnerability results in a denial of service (DoS) against the OBI process. This leads to a loss of telemetry data collection for any services being monitored by the affected OBI instance. The attacker only needs to send a crafted memcached storage command to a service that OBI is instrumenting. This vulnerability impacts OBI deployments where the memcached parser is active and the instrumented services are reachable or influenceable by an attacker.

Recommendation

Deploy the Sigma rule Detect OpenTelemetry OBI Memcached Integer Overflow Attempt to detect crafted memcached storage commands with extremely large values in network traffic.
Monitor OBI process logs and container status for crashes originating from LargeBufferReader.Peek, as indicated in the overview, to identify potential exploitation attempts.
Consider filtering or sanitizing memcached storage command inputs to prevent excessively large values from reaching instrumented services.

Memcached — CraftedSignal Threat Feed

CVE-2026-47783: memcached Timing Side Channel Vulnerability in SASL Authentication

Attack Chain

Impact

Recommendation

OpenTelemetry eBPF Instrumentation (OBI) Memcached Integer Overflow DoS

Attack Chain

Impact

Recommendation