CVE-2026-48829 - Vulnerability Details

Analysis

Impact

In versions of GNU SASL older than 2.2.3, the DIGEST-MD5 authentication routine performs a NULL pointer dereference when it receives a token that does not include the required '=' character. This flaw results in a crash of either the client or the server component, which can be exploited to disrupt service availability.

Affected Systems

The vulnerability affects the GNU SASL library (GNU:GNU SASL) in all versions prior to 2.2.3. Both client and server implementations that use the lib/digest-md5 module can be impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the absence of an EPSS score and lack of listing in CISA KEV suggest current exploitation risk is moderate but not yet observed. A likely attack vector is a network‑based attacker sending a specially crafted DIGEST‑MD5 request lacking the '=' character to a server or client that processes SASL authentication. This can lead to a denial of service through a crash, as the flaw is a direct NULL pointer dereference.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GNU SASL to version 2.2.3 or later.
Temporarily disable DIGEST-MD5 authentication in services that use GNU SASL until the upgrade can be performed.
If an upgrade is not feasible, ensure that any input passed to the DIGEST-MD5 routine is validated to contain an '=' character before being processed.

Generated by OpenCVE AI on May 24, 2026 at 04:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References

Link	Providers
https://codeberg.org/gsasl/gsasl/commit/da9b5ae2962b014879e4a406c3b38f25aa70e97a
https://lists.debian.org/debian-security-announce/2026/msg00182.html
https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html
https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00002.html

History

Sun, 24 May 2026 04:45:00 +0000

Type	Values Removed	Values Added
Title		NULL Pointer Dereference in DIGEST-MD5 Handling of GNU SASL 2.2.3 and Earlier

Sun, 24 May 2026 03:30:00 +0000

Type	Values Removed	Values Added
Description		In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.
First Time appeared		Gnu Gnu gnu Sasl
Weaknesses		CWE-476
CPEs		cpe:2.3:a:gnu:gnu_sasl::::::::
Vendors & Products		Gnu Gnu gnu Sasl
References		https://codeberg.org/gsasl/gsasl/commit/da9b5ae2962b014879e4a406c3b38f25aa70e97a https://lists.debian.org/debian-security-announce/2026/msg00182.html https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00002.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object