In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c.
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Gsasl | Ubuntu | devel | * |
| Gsasl | Ubuntu | noble | * |
| Gsasl | Ubuntu | questing | * |
| Gsasl | Ubuntu | resolute | * |
| Gsasl | Ubuntu | upstream | * |
Potential Mitigations
References
- https://codeberg.org/gsasl/gsasl/commit/da9b5ae2962b014879e4a406c3b38f25aa70e97a
- https://lists.debian.org/debian-security-announce/2026/msg00182.html
- https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00000.html
- https://lists.gnu.org/archive/html/help-gsasl/2026-05/msg00002.html
- https://lists.debian.org/debian-lts-announce/2026/06/msg00007.html