ProtectivProtectiv
← Back to research
Vulnerability Research··Christian Niel Angel

Memdrop: memcached pre-auth remote DoS via zero-length asciiauth token

FieldValue
TargetMemcached (https://github.com/memcached/memcached)
SeverityHigh
CVSS:3.1AV:N / AC:L / PR:N / UI:N / S:U / C:N / I:N / A:H → 7.5
CWECWE-125 (Out-of-bounds read) → CWE-476 (NULL/wild deref crash)
Affected versions1.6.41 through 1.6.43
CVEPENDING

Summary

Memdrop is a pre-authentication remote denial-of-service issue in memcached 1.6.41 through 1.6.43 when started with ASCII authentication (-Y <authfile>). An unauthenticated client can trigger the crash by sending three newline bytes (\n\n\n) immediately after connecting.

Vulnerability Details

When memcached is configured with -Y, new connections are handled by try_read_command_asciiauth until authentication completes. That path reads a line from the socket, locates the first newline, and forwards the slice to the vendored mcmc tokenizer.
The caller checks c->rbytes >= 3, but it does not check that the token length before the first newline is non-zero. If the first byte in the receive buffer is \n, then el == st and the tokenizer is invoked with len = 0.
_mcmc_tokenize_meta assumes that len is at least 2. It immediately evaluates line[len-2], then computes end = s + len - 2 or end = s + len - 1. With len = 0, both expressions place end behind the start of the buffer. The cursor n starts at line, the termination condition while (n != end) remains true, and the loop advances forward until it reaches unmapped memory and takes SIGSEGV.

Impact

A reachable unauthenticated client can terminate the memcached process with negligible effort. The trigger does not require valid protocol traffic, credentials, or repeated negotiation; a connection followed by three newline bytes is sufficient.

Operationally, this is a service-availability issue. Each successful trigger drops the cache process immediately. If the service is supervised and restarted, it returns empty, which can push read traffic back to the backing application or database until the cache warms again. Repeated triggering can keep the cache unstable and force repeated cold-start recovery.

The vulnerability is reachable only on deployments that:

  1. Runs Memcached version 1.6.41 through 1.6.43
  2. Started that binary with -Y <authfile>.
  3. Are reachable from the attacker via public internet exposure, or attacker has any network position inside the operator's network.

Proof of Concept

Remediation

Update memcached to version 1.6.44

References

Author

Christian Niel Angel

Co-founder

Christian Niel Angel is the Co-Founder of Protectiv and a cybersecurity practitioner based in the Philippines. His work focuses on vulnerability research, penetration testing, security assessments, and strengthening the security of modern applications and infrastructure.