Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

CVE-2026-48829: GNU SASL DIGEST-MD5 NULL Pointer Dereference

CVE-2026-48829

Summary

A vulnerability in GNU SASL's DIGEST-MD5 authentication could allow an attacker to crash the system. This issue affects both clients and servers using GNU SASL. To protect against this, update to GNU SASL version 2.2.3 or later.

Original title

In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.

Original description

In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.

nvd CVSS3.1 7.5

Vulnerability type

CWE-476 NULL Pointer Dereference

https://codeberg.org/gsasl/gsasl/commit/da9b5ae2962b014879e4a406c3b38f25aa70e97a
https://lists.debian.org/debian-security-announce/2026/msg00182.html
https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html
https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00002.html

Published: 24 May 2026 · Updated: 31 May 2026 · First seen: 26 May 2026