Cyber Resilience

CVE-2026-47784

High

Published: 20 May 2026

Published
20 May 2026
Modified
21 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 41.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-47784 is a high-severity Observable Timing Discrepancy (CWE-208) vulnerability in Memcached Memcached. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Timing side-channel in SASL password verification directly enables more efficient password guessing during authentication attempts.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-47783Same product: Memcached Memcached
CVE-2026-47373Shared CWE-208
CVE-2025-70949Shared CWE-208
CVE-2026-5086Shared CWE-208
CVE-2026-40972Shared CWE-208
CVE-2024-42512Shared CWE-208
CVE-2026-41588Shared CWE-208
CVE-2025-68621Shared CWE-208
CVE-2026-28464Shared CWE-208
CVE-2025-48630Shared CWE-208

Affected Assets

memcached
memcached
≤ 1.6.42

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-208

Timing randomization or delays can mask true operation timing and mislead timing-based attacks.

addresses: CWE-208

Observable timing discrepancies are a primary mechanism for constructing covert timing channels; analysis identifies and bounds them, limiting exploitation.

References