“Cyrus SASL library versions 2.1.9 and earlier have a buffer overflow vulnerability that can be triggered by long inputs during user name canonicalization.”

Description: "The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI." The CVE entry attributes the issue to the MongoDB C Driver's integration code rather than to a specific upstream Cyrus SASL release.

Carnegie Mellon University's Cyrus-SASL library is vulnerable to a buffer overflow, caused by improper bounds checking of usernames during canonicalization. By sending a specially-crafted long username to an application that uses the library, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. The flaw affects versions 1.5.24 and earlier, and 2.1.9 and earlier of the Cyrus-SASL library.

Several buffer overflows have been discovered in the Cyrus SASL library up to and including version 2.1.9. By supplying an excessively long username to functions responsible for username canonicalization, a local user can trigger a buffer overflow and potentially execute arbitrary code with the privileges of the process using SASL.

Cyrus SASL library 1.5.24 and earlier, and 2.1.9 and earlier, are vulnerable to a buffer overflow in the canonicalization function when handling long usernames. An attacker may exploit this flaw by sending a specially crafted, overly long username to an affected application, potentially leading to arbitrary code execution with the privileges of the process.

Description: "The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI." The advisory treats the flaw as residing in the MongoDB C Driver integration code, not as a generic defect in all Cyrus SASL library versions 2.1.9 and earlier.

CERT/CC writes: "The Carnegie Mellon University Cyrus SASL library contains a buffer overflow vulnerability in the way it handles user names during canonicalization." The note explains: "Cyrus SASL versions up to and including 2.1.9 are affected. By providing an excessively long user name, a remote attacker may be able to cause a buffer overflow and potentially execute arbitrary code."

GitHub security advisory GHSA-587q-94wg-2pfp states: "The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic. This may be triggered by passing untrusted input in the username of a MongoDB URI with authMechanism=GSSAPI." The advisory scope is limited to the MongoDB C Driver integration rather than all Cyrus SASL releases up to 2.1.9.

Description: Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allow local users to gain privileges. The vulnerability is triggered by overly long user names being processed during canonicalization in functions such as user_buf() and authid_buf().

Description of problem: There is a buffer overflow in the canonicalization function of the Cyrus SASL library. The overflow occurs when handling long usernames, and affects Cyrus SASL 1.5.24 and earlier, and 2.1.9 and earlier. Impact: A remote attacker can send a very long username to an application using Cyrus SASL and potentially execute arbitrary code.

Cyrus SASL library is reported to be vulnerable to a buffer overflow condition in its username canonicalization code. The issue occurs because the canonicalization function fails to properly check the length of the username. According to reports, Cyrus SASL 1.5.24 and earlier, and 2.1.9 and earlier, are affected. Remote attackers may exploit this vulnerability by supplying a long username to an application using the library.

Cyrus SASL library 2.1.9 and earlier contain multiple buffer overflows. Local users can exploit these flaws by supplying excessively long user names to routines that canonicalize user names, resulting in a buffer overflow and potential execution of arbitrary code with increased privileges.

Steve Langasek discovered a buffer overflow in the canonicalization function of the Cyrus SASL library. A remote attacker could exploit this vulnerability by providing a very long username to an application linked against Cyrus SASL, potentially leading to arbitrary code execution. This problem affects Cyrus SASL versions 1.5.24 and earlier, and 2.1.9 and earlier, and has been fixed in subsequent packages.

SentinelOne’s write‑up explains: "The root cause is missing input length validation in the SASL username canonicalization path. The function relies on an unbounded string copy when handling the GSSAPI username component of a MongoDB URI." It further clarifies that the issue concerns "MongoDB’s C client driver integration with Cyrus SASL" rather than an intrinsic bug in the Cyrus SASL library itself.

CVE-2002-1347: Multiple buffer overflows in Cyrus SASL library 2.1.9 and earlier allow local users to gain privileges. This issue was fixed in later uploads of the cyrus-sasl2 source package. The vulnerability was related to how long user names were handled in the username canonicalization code.

It was discovered that cyrus-sasl versions up to and including 2.1.9 contain buffer overflow vulnerabilities in the handling of user names. A local attacker could supply an overly long user name during canonicalization and cause a buffer overflow, potentially leading to elevated privileges. This update includes a fixed version of the Cyrus SASL library.

A buffer overflow was found in the Cyrus SASL username canonicalization function. By sending a username that exceeds the expected length, a remote attacker could overwrite memory and potentially execute arbitrary code. The vulnerable code is present in Cyrus SASL 1.5.24 and earlier, and 2.1.9 and earlier. Users are advised to upgrade to a fixed version.

New in 2.1.22 ... Increase canonicalization buffer size to 1024 bytes. ... These changes address potential problems in username canonicalization and improve the safety of handling larger inputs.

Debian Security Advisory DSA-680-1 (2005) lists several issues in cyrus-sasl 1.5.28, including buffer overflows in certain authentication mechanisms. It states: "Several buffer overflows have been discovered in the Cyrus SASL library that could allow remote attackers to execute arbitrary code." However, the advisory does not specifically associate these with username canonicalization nor with the 2.1.x series up to 2.1.9.

Red Hat’s CVE page describes CVE-2007-2441 as: "Heap-based buffer overflow in the _sasl_add_string function in lib/common.c in Cyrus SASL 2.1.22 through 2.1.23 allows remote attackers to cause a denial of service (application crash) via a long input string." This vulnerability is tied to the _sasl_add_string helper and specific 2.1.22–2.1.23 releases, not to all versions 2.1.9 and earlier or explicitly to username canonicalization.

sasl_canon_user_t is the callback for an application-supplied user canonicalization function. This function is subject to the requirements that all user canonicalization functions are: It must copy the result into the output buffers, but the output buffers and the input buffers may be the same. Parameters include 'user' – un-canonicalized username, and 'out_user' – the output buffer for the canonicalized username.

The header file documents the canonicalization function prototype: "* in, inlen -- user name to canonicalize, may not be NUL terminated" and "* out -- buffer to copy user name. * out_max -- max length of user name." This interface description shows that username canonicalization involves copying the user name into a buffer with a specified maximum length, and vulnerabilities like CVE-2002-1347 arise when the implementation fails to correctly enforce these length limits for long inputs.

SecurityFocus describes the issue as follows: "Cyrus SASL library is reportedly prone to a buffer overflow condition in the code that canonicalizes user names." It continues: "A remote attacker may trigger this overflow by passing an overly long user name to an application that uses the vulnerable Cyrus SASL library. This issue is reported to affect Cyrus SASL versions 2.1.9 and earlier."

Debian’s security advisory DSA-233-1 states: "A buffer overflow has been discovered in the Cyrus SASL library. The problem occurs in the function which canonicalizes user names." It further notes: "By supplying a very long user name, a remote user could overflow this buffer and potentially execute arbitrary code. The vulnerability is present in Cyrus SASL up to version 2.1.9."

Reported: Cyrus SASL <= 2.1.9 suffers from a buffer overflow in the username canonicalization routines. When given a very long username, the canonicalization code overflows a fixed-size buffer, which can be exploited by a local user. Upgrading to 2.1.10 or later is recommended.

Public vulnerability databases and distribution advisories consistently describe CVE-2002-1347 as affecting Cyrus SASL 1.5.24 and earlier, and 2.1.9 and earlier, with an overflow in the username canonicalization function triggered by long usernames. Later 2.1.x releases increased the size and checking of canonicalization buffers, and vendor advisories state that upgrading beyond 2.1.9 removes exposure to this specific overflow.

The proof‑of‑concept page for CVE‑2026‑6691 states: "The MongoDB C Driver's Cyrus SASL integration performs unsafe string copying during username canonicalization, enabling a heap buffer overflow before any authentication or network traffic." The exploit provided targets the MongoDB C Driver using a crafted MongoDB URI username; it does not claim that every Cyrus SASL 2.1.9‑and‑earlier deployment is independently exploitable by long usernames.