Memdrop: memcached pre-auth remote DoS via zero-length asciiauth token
| Field | Value |
|---|---|
| Target | Memcached (https://github.com/memcached/memcached) |
| Severity | High |
| CVSS:3.1 | AV:N / AC:L / PR:N / UI:N / S:U / C:N / I:N / A:H → 7.5 |
| CWE | CWE-125 (Out-of-bounds read) → CWE-476 (NULL/wild deref crash) |
| Affected versions | 1.6.41 through 1.6.43 |
| CVE | PENDING |
Summary
-Y <authfile>). An unauthenticated client can trigger the crash by sending three newline bytes (\n\n\n) immediately after connecting.Vulnerability Details
-Y, new connections are handled by try_read_command_asciiauth until authentication completes. That path reads a line from the socket, locates the first newline, and forwards the slice to the vendored mcmc tokenizer.c->rbytes >= 3, but it does not check that the token length before the first newline is non-zero. If the first byte in the receive buffer is \n, then el == st and the tokenizer is invoked with len = 0._mcmc_tokenize_meta assumes that len is at least 2. It immediately evaluates line[len-2], then computes end = s + len - 2 or end = s + len - 1. With len = 0, both expressions place end behind the start of the buffer. The cursor n starts at line, the termination condition while (n != end) remains true, and the loop advances forward until it reaches unmapped memory and takes SIGSEGV.Impact
A reachable unauthenticated client can terminate the memcached process with negligible effort. The trigger does not require valid protocol traffic, credentials, or repeated negotiation; a connection followed by three newline bytes is sufficient.
Operationally, this is a service-availability issue. Each successful trigger drops the cache process immediately. If the service is supervised and restarted, it returns empty, which can push read traffic back to the backing application or database until the cache warms again. Repeated triggering can keep the cache unstable and force repeated cold-start recovery.
The vulnerability is reachable only on deployments that:
- Runs Memcached version 1.6.41 through 1.6.43
- Started that binary with
-Y <authfile>. - Are reachable from the attacker via public internet exposure, or attacker has any network position inside the operator's network.
Proof of Concept
Remediation
Update memcached to version 1.6.44
References
Author
Christian Niel Angel
Co-founder
Christian Niel Angel is the Co-Founder of Protectiv and a cybersecurity practitioner based in the Philippines. His work focuses on vulnerability research, penetration testing, security assessments, and strengthening the security of modern applications and infrastructure.