HIGHCVE-2026-48829Published 2026-05-24Modified 2026-05-26CNA mitre

CVE-2026-48829: In GNU SASL before 2

In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 2.2.3
Affected Products: 1

Fix available

2.2.3

Affected packages

GNU / GNU SASL
< 2.2.3 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

lists.gnu.org
codeberg.org
lists.debian.org
lists.gnu.org

Metrics

Fix available