cyrus-sasl in https://www.cyrusimap.org/sasl/sasl/quickstart.html provides the following description of its thread safety:

This library is believed to be thread safe if:

• you supply mutex functions (see sasl_set_mutex())
• you make no libsasl calls until sasl_client/server_init() completes
• no libsasl calls are made after sasl_done() is begun
• when using GSSAPI, you use a thread-safe GSS / Kerberos 5 library.

We don't appear to set the mutex callbacks, therefore it is possible that when e.g. multiple connections are authenticating concurrently they could overwrite state in cyrus-sasl and cause crashes.

Additionally we seem to be calling sasl_client_init (https://www.cyrusimap.org/sasl/sasl/reference/manpages/library/sasl_client_init.html) on every conversation where this should only be done once per process. I don't see how it is possible to prevent multiple calls to sasl_client_init from independent libraries that use sasl functionality, but at a minimum we should only be calling it once. We should also probably lock around that call.

Set mutex callbacks via sasl_set_mutex (https://www.cyrusimap.org/sasl/sasl/reference/manpages/library/sasl_set_mutex.html)
Track whether sasl_client_init had been called already and only call it once per process
Call sasl_client_init under a lock