CVE-2026-56968
LowCVSS 3.7Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
In GNU SASL before version 2.2.4, there is a lack of sanitization of a short challenge in the _gsasl_ntlm_client_step function in the NTLM client, which could result in memory disclosure via a crafted server.
Risk Assessment
An attacker can exploit this vulnerability to read memory fragments of an application using GNU SASL, potentially leading to leakage of sensitive data such as passwords or cryptographic keys.
Recommendation
Immediately update the GNU SASL library to version 2.2.4 or later, which includes the necessary security fixes.
Original NVD description (English source)
GNU SASL before 2.2.4 lacks sanitization of a short challenge in _gsasl_ntlm_client_step in the NTLM client, which could result in memory disclosure via a crafted server.

