Cyber Resilience

CVE-2026-47783

HighUpdated

Published: 20 May 2026

Published
20 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0131 67.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-47783 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Memcached Memcached. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 32.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Timing side-channel enables valid username enumeration as a direct precursor to password guessing/brute force against the SASL auth mechanism.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-47784Same product: Memcached Memcached
CVE-2026-5086Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2026-47373Shared CWE-208
CVE-2025-68621Shared CWE-208
CVE-2025-70949Shared CWE-208
CVE-2024-13939Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2025-48630Shared CWE-208

Affected Assets

memcached
memcached
≤ 1.6.42

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

References