Critical Memcached SASL Vulnerability Fixed in Version 1.6.42

Memcached functions as a high-performance, multithreaded, event-based key/value cache store designed for distributed systems. Recently, the development team resolved a significant Memcached SASL vulnerability affecting older versions of the software. Specifically, developers discovered two critical timing side-channel flaws within the authentication subsystem. Both issues received a high severity rating with a CVSS score of 8.1. Therefore, administrators must upgrade their active deployments immediately to secure their caching infrastructure.

Understanding the Authentication Risks

To begin with, the first flaw tracks as CVE-2026-47783 and impacts username validation logic. In software versions before 1.6.42, username data for SASL password database authentication exhibits a timing side channel. This happens because a loop exits as soon as the system finds a valid username. Consequently, an attacker can analyze response times to enumerate valid usernames on the system.

Furthermore, the second bug tracks as CVE-2026-47784 and targets the password verification phase. The password data contains a similar timing side channel because the function utilizes standard memcmp operations. As a result, malicious actors can systematically guess passwords byte by byte based on processing delays.

Release Notes and Mitigation Steps

Fortunately, the release of Memcached 1.6.42 completely mitigates this dangerous Memcached SASL vulnerability. The new version resolves the timing side-channel bugs during SASL authentication. Additionally, the update delivers several other vital stability and security fixes. For instance, it addresses a signed overflow in bodylen for the binary protocol. It also remedies a data race during authentication reloads and prevents crashes from massive tokens.

In addition, the patch fixes memory underreads when nulling requests and addresses core crashes during slab reassignment. Ultimately, updating to version 1.6.42 ensures your distributed systems remain resilient against unauthorized access. Administrators should deploy this patch immediately across all production nodes.