CVE Catalog

CVE-2026-56968

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

In GNU SASL before version 2.2.4, there is a lack of sanitization of a short challenge in the _gsasl_ntlm_client_step function in the NTLM client, which could result in memory disclosure via a crafted server.

Risk Assessment

An attacker can exploit this vulnerability to read memory fragments of an application using GNU SASL, potentially leading to leakage of sensitive data such as passwords or cryptographic keys.

Recommendation

Immediately update the GNU SASL library to version 2.2.4 or later, which includes the necessary security fixes.

Original NVD description (English source)

GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS