Debian published a security advisory on 24 May for CVE-2026-48829, a NULL pointer dereference in GNU SASLβs DIGEST-MD5 authentication mechanism. The vulnerability is triggered by a malformed DIGEST-MD5 authentication token that lacks the = character required in the SASL challenge-response token format. GNU SASL before version 2.2.2 fails to validate this requirement before dereferencing a pointer that may be NULL in the malformed case, crashing the process handling the authentication.
GNU SASL (GNU Simple Authentication and Security Layer) is the GNU Projectβs implementation of the SASL authentication framework, widely used in open-source mail servers, LDAP implementations, and authentication-aware network services on Linux and Unix systems.
Services Using GNU SASL for DIGEST-MD5
DIGEST-MD5 is an older SASL mechanism used in several enterprise authentication contexts:
Postfix mail server: Postfix can use GNU SASL (via the sasl_lib_dovecot or direct sasl_lib_cyrus configuration) for SMTP AUTH. If the Postfix configuration uses DIGEST-MD5 and is configured to use GNU SASL as the SASL library, an unauthenticated attacker who can reach the SMTP AUTH port can crash the Postfix SASL authentication process with a single malformed authentication exchange.
Cyrus IMAP: Cyrus IMAP uses Cyrus SASL (a separate, unaffected implementation), not GNU SASL, for its primary authentication. However, environments that explicitly configure GNU SASL as the SASL provider for Cyrus IMAP (a non-default configuration) would be affected.
OpenLDAP with SASL DIGEST-MD5: OpenLDAP can use GNU SASL for SASL authentication, including DIGEST-MD5. LDAP-authenticated services that use DIGEST-MD5 via GNU SASL are affected.
Custom applications: Any application using the gsasl_step() or equivalent GNU SASL API functions to process DIGEST-MD5 authentication tokens from untrusted sources is affected.
Exploitability Assessment
The vulnerability requires:
- The target service to use GNU SASL as the SASL library (not Cyrus SASL, which is more common)
- The service to support or negotiate DIGEST-MD5 as an authentication mechanism
- Network access to the serviceβs authentication port
DIGEST-MD5 is considered deprecated by RFC standards (RFC 6331 deprecated it in 2011) and is disabled by default in many modern configurations. However, it persists in environments with legacy clients that cannot support more modern mechanisms (SCRAM-SHA-256, GSSAPI/Kerberos) or where administrators have not explicitly disabled legacy mechanisms.
The denial-of-service impact is significant for authentication services: crashing the authentication handler disrupts all authentication processing for the service, causing service outage for legitimate users during the time the service takes to recover or restart.
Patch and Mitigation
Patch: Update to GNU SASL 2.2.2 or later, which validates the presence of the = character before processing the DIGEST-MD5 token. Distribution packages for Debian, Ubuntu, and others are available through the standard security update channels.
Disable DIGEST-MD5: For services that have no legacy clients requiring DIGEST-MD5, explicitly disabling the mechanism eliminates the attack surface. For Postfix with GNU SASL:
smtpd_sasl_security_options = noanonymous, noplaintextAnd ensure DIGEST-MD5 is not listed in the configured SASL mechanisms.
For OpenLDAP, disable DIGEST-MD5 in slapd.conf or cn=config by excluding it from the sasl-secprops configuration.
Verify SASL library in use: Confirm whether your services use GNU SASL or Cyrus SASL. Most modern distributions default to Cyrus SASL (libsasl2), which is not affected by CVE-2026-48829. The package providing SASL authentication for your service determines your exposure.
Share this article