Description
GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.
Published: 2026-06-23
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Input Validation flaw (CWE‑839) in the _gsasl_ntlm_client_step function of GNU SASL. When the client processes a short NTLM challenge that a malicious server deliberately crafts, it fails to sanitize the input, causing the client to read and expose parts of its own memory. This results in disclosure of potentially sensitive data such as passwords or cryptographic material but does not give the attacker code execution or integrity bypass on the target system.

Affected Systems

GNU SASL versions older than 2.2.4 on any system that uses the NTLM client component are affected. Hosts that run unpatched clients and establish NTLM authentication sessions with an external server may be vulnerable.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, largely due to the limited scope of impact. EPSS is not available, and the vulnerability is not in the CISA KEV list. An attacker can exploit the flaw by controlling a server that the client connects to; no privilege escalation or additional host access is required on the client side. The attack requires network proximity to the client or the ability to become a trusted NTLM authentication partner.

Generated by OpenCVE AI on June 24, 2026 at 11:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GNU SASL to version 2.2.4 or later to apply the input sanitization fix.
  • Block or refuse NTLM authentication from servers that are not explicitly trusted or required.
  • If an upgrade is not immediately possible, disable NTLM authentication entirely on the client to eliminate the attack surface.
  • Implement network-level controls to restrict which servers may initiate NTLM handshakes, and monitor for anomalous NTLM traffic.

Generated by OpenCVE AI on June 24, 2026 at 11:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Title Memory Disclosure via Unvalidated NTLM Challenge in GNU SASL

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Title GNU SASL NTLM Short Challenge Memory Disclosure Vulnerability

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title GNU SASL NTLM Short Challenge Memory Disclosure Vulnerability

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title NTLM Client Short Challenge Improper Sanitization Leads to Memory Disclosure

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title NTLM Client Short Challenge Improper Sanitization Leads to Memory Disclosure

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.
First Time appeared Gnu
Gnu gnu Sasl
Weaknesses CWE-839
CPEs cpe:2.3:a:gnu:gnu_sasl:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu gnu Sasl
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-23T17:31:49.772Z

Reserved: 2026-06-23T16:18:28.745Z

Link: CVE-2026-56968

cve-icon Vulnrichment

Updated: 2026-06-23T17:31:46.629Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-839

    Numeric Range Comparison Without Minimum Check