CVE Daily
← All tags

Tag: Memcached

All CVEs associated with "Memcached". Page 1/1 • 62 CVEs.

About “Memcached”

A curated feed of “Memcached”-related CVEs appears below. We currently track 62 CVEs for this tag (all time). In the last 365 days, 6 were published. Average CVSS is 6.4 (all time; 7.1 over 365d), and 45% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-208 - Observable Timing Discrepancy, CWE-190 - Integer Overflow or Wraparound, CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection').

In our taxonomy this topic maps to a LOW impact class. Databases, proxies, and web servers often need coordinated restarts and config checks. Patch only modules you deploy, verify TLS and authentication, and tune limits. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: memcached

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
1.61.6.42-
1.51.5.22 Expired
1.41.4.39 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Memcached”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-06-02
High

CVE-2026-45686

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.7.0 to before version 0.9.0, a remotely reachable integer overflow in OBI's memcac…

CVSS: 7.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2026-05-20
High

CVE-2026-47784

In memcached before 1.6.42, password data for SASL password database authentication has a timing side channel because memcmp is used by sasl_server_userdb_checkpass.

CVSS: 8.1 CWE: CWE-208 - Observable Timing Discrepancy View on NVD
High

CVE-2026-47783

In memcached before 1.6.42, username data for SASL password database authentication has a timing side channel because a loop exits as soon as a valid username is found by sasl_server_userdb_checkpass.

CVSS: 8.1 CWE: CWE-208 - Observable Timing Discrepancy View on NVD
2026-03-12
Medium

CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate t…

CVSS: 4.6 CWE: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection') View on NVD
2026-03-06
High

CVE-2026-29093

WWBN AVideo is an open source video platform. Prior to version 24.0, the official docker-compose.yml publishes the memcached service on host port 11211 (0.0.0.0:11211) with no authentication, while t…

CVSS: 8.1 CWE: CWE-287 - Improper Authentication View on NVD
2026-02-27
Medium

CVE-2018-25160

HTTP::Session2 versions through 1.09 for Perl does not validate the format of user provided session ids, enabling code injection or other impact depending on session backend. For example, if an appl…

CVSS: 6.5 CWE: CWE-20 - Improper Input Validation View on NVD
2024-03-27
High

CVE-2023-43768

An issue was discovered in Couchbase Server 6.6.x through 7.2.0, before 7.1.5 and 7.2.1. Unauthenticated users may cause memcached to run out of memory via large commands.

CVSS: 7.5 CWE: CWE-770 - Allocation of Resources Without Limits or Throttling View on NVD
2023-10-27
Critical

CVE-2023-46853

In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used instead of \r\n.

CVSS: 9.8 CWE: CWE-193 - Off-by-one Error View on NVD
High

CVE-2023-46852

In Memcached before 1.6.22, a buffer overflow exists when processing multiget requests in proxy mode, if there are many spaces after the "get" substring.

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2023-10-16
Medium

CVE-2023-45148

Nextcloud is an open source home cloud server. When Memcached is used as `memcache.distributed` the rate limiting in Nextcloud Server could be reset unexpectedly resetting the rate count earlier than…

CVSS: 4.3 CWE: CWE-307 - Improper Restriction of Excessive Authentication Attempts View on NVD
2023-10-09
Medium

CVE-2023-41670

Cross-Site Request Forgery (CSRF) vulnerability in Palasthotel (in person: Edward Bock) Use Memcached plugin <= 1.0.4 versions.

CVSS: 5.4 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2023-08-22
High

CVE-2022-48571

memcached 1.6.7 allows a Denial of Service via multi-packet uploads in UDP.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
High

CVE-2020-22570

Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command.

CVSS: 7.5 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2023-06-23
Medium

CVE-2023-34673

Elenos ETG150 FM transmitter running on version 3.12 was discovered to be leaking SMTP credentials and other sensitive information by exploiting the publicly accessible Memcached service. The attack…

CVSS: 6.5 CWE: N/A View on NVD
2023-03-07
Medium

CVE-2023-27478

libmemcached-awesome is an open source C/C++ client library and tools for the memcached server. `libmemcached` could return data for a previously requested key, if that previous request timed out due…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2023-02-03
Medium

CVE-2021-37519

Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows attackers to cause a denial of service via crafted authenticattion file.

CVSS: 5.5 CWE: CWE-787 - Out-of-bounds Write View on NVD
2022-04-05
Critical

CVE-2022-26635

PHP-Memcached v2.2.0 and below contains an improper NULL termination which allows attackers to execute CLRF injection. Note: Third parties have disputed this as not affecting PHP-Memcached directly.

CVSS: 9.8 CWE: N/A View on NVD
2021-09-29
High

CVE-2021-35945

Couchbase Server 6.5.x, 6.6.0 through 6.6.2, and 7.0.0, has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
High

CVE-2021-35944

Couchbase Server 6.5.x, 6.6.x through 6.6.2, and 7.0.0 has a Buffer Overflow. A specially crafted network packet sent from an attacker can crash memcached.

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2021-07-21
Low

CVE-2021-2340

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 8.0.25 and prior. Easily exploitable vulnerability allows high privi…

CVSS: 2.7 CWE: N/A View on NVD
2021-05-27
Medium

CVE-2020-10697

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denia…

CVSS: 4.4 CWE: CWE-862 - Missing Authorization View on NVD
2021-05-13
Critical

CVE-2021-33026

The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache st…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2020-12-17
Critical

CVE-2020-35197

The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the…

CVSS: 9.8 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2020-07-10
Medium

CVE-2020-15105

Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username…

CVSS: 5.4 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2020-06-03
Medium

CVE-2020-13254

An issue was discovered in Django 2.2 before 2.2.13 and 3.0 before 3.0.7. In cases where a memcached backend does not perform key validation, passing malformed cache keys could result in a key collis…

CVSS: 5.9 CWE: CWE-295 - Improper Certificate Validation View on NVD
2020-04-15
Medium

CVE-2020-2804

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Memcached). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Difficult t…

CVSS: 5.9 CWE: N/A View on NVD
2020-03-24
High

CVE-2020-10931

Memcached 1.6.x before 1.6.2 allows remote attackers to cause a denial of service (daemon crash) via a crafted binary protocol header to try_read_command_binary in memcached.c.

CVSS: 7.5 CWE: CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') View on NVD
2019-09-10
Medium

CVE-2019-11465

An issue was discovered in Couchbase Server 5.5.x through 5.5.3 and 6.0.0. The Memcached "connections" stat block command emits a non-redacted username. The system information submitted to Couchbase…

CVSS: 5.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2019-08-30
High

CVE-2019-15026

memcached 1.5.16, when UNIX sockets are used, has a stack-based buffer over-read in conn_to_str in memcached.c.

CVSS: 7.5 CWE: CWE-125 - Out-of-bounds Read View on NVD
2019-04-29
High

CVE-2019-11596

In memcached before 1.5.14, a NULL pointer dereference was found in the "lru mode" and "lru temp_ttl" commands. This causes a denial of service when parsing crafted lru command messages in process_lr…

CVSS: 7.5 CWE: CWE-476 - NULL Pointer Dereference View on NVD
2018-12-31
High

CVE-2018-6340

The Memcache::getextendedstats function can be used to trigger an out-of-bounds read. Exploiting this issue requires control over memcached server hostnames and/or ports. This affects all supported v…

CVSS: 8.1 CWE: CWE-125 - Out-of-bounds Read View on NVD
2018-10-17
Medium

CVE-2018-3276

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.41 and prior, 5.7.23 and prior and 8.0.12 and prior. Easily…

CVSS: 4.9 CWE: N/A View on NVD
2018-07-18
Medium

CVE-2018-3062

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.40 and prior, 5.7.22 and prior and 8.0.11 and prior. Diffic…

CVSS: 5.3 CWE: N/A View on NVD
2018-04-02
Critical

CVE-2018-1295

In Apache Ignite 2.3 or earlier, the serialization mechanism does not have a list of classes allowed for serialization/deserialization, which makes it possible to run arbitrary code when 3-rd party v…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2018-03-13
High

CVE-2018-1000127

memcached version prior to 1.4.37 contains an Integer Overflow vulnerability in items.c:item_free() that can result in data corruption and deadlocks due to items existing in hash table being reused f…

CVSS: 7.5 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2018-03-05
High

CVE-2018-1000115

Memcached version 1.5.5 contains an Insufficient Control of Network Message Volume (Network Amplification, CWE-406) vulnerability in the UDP support of the memcached server that can result in denial…

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2017-10-19
Medium

CVE-2017-10314

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.37 and earlier and 5.7.19 and earlier. Easily exploitable v…

CVSS: 4.9 CWE: N/A View on NVD
2017-08-08
Medium

CVE-2017-3633

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.36 and earlier and 5.7.18 and earlier. Difficult to exploit…

CVSS: 6.5 CWE: N/A View on NVD
2017-07-17
High

CVE-2017-9951

The try_read_command function in memcached.c in memcached before 1.4.39 allows remote attackers to cause a denial of service (segmentation fault) via a request to add/set a key, which makes a compari…

CVSS: 7.5 CWE: N/A View on NVD
2017-04-24
High

CVE-2017-3450

Vulnerability in the MySQL Server component of Oracle MySQL (subcomponent: Server: Memcached). Supported versions that are affected are 5.6.35 and earlier and 5.7.17 and earlier. Easily "exploitable"…

CVSS: 7.5 CWE: N/A View on NVD
2017-01-06
High

CVE-2016-8706

An integer overflow in process_bin_sasl_auth function in Memcached, which is responsible for authentication commands of Memcached binary protocol, can be abused to cause heap overflow and lead to rem…

CVSS: 8.1 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Critical

CVE-2016-8705

Multiple integer overflows in process_bin_update function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and le…

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
Critical

CVE-2016-8704

An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow a…

CVSS: 9.8 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
2016-10-25
Medium

CVE-2016-5631

Unspecified vulnerability in Oracle MySQL 5.7.13 and earlier allows remote administrators to affect availability via vectors related to Server: Memcached.

CVSS: 4.9 CWE: N/A View on NVD
2015-10-22
Low

CVE-2015-4910

Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.

CVSS: 2.1 CWE: N/A View on NVD
2015-07-16
Low

CVE-2015-4761

Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.

CVSS: 3.5 CWE: N/A View on NVD
2015-04-16
Low

CVE-2015-0507

Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached.

CVSS: 3.5 CWE: N/A View on NVD
2014-12-12
Medium

CVE-2014-8124

OpenStack Dashboard (Horizon) before 2014.1.3 and 2014.2.x before 2014.2.1 does not properly handle session records when using a db or memcached session engine, which allows remote attackers to cause…

CVSS: 5.0 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD
2014-10-15
Low

CVE-2014-6474

Unspecified vulnerability in Oracle MySQL Server 5.6.19 and earlier allows remote authenticated users to affect availability via vectors related to SERVER:MEMCACHED.

CVSS: 3.5 CWE: N/A View on NVD
2014-04-15
Medium

CVE-2014-0105

The auth_token middleware in the OpenStack Python client library for Keystone (aka python-keystoneclient) before 0.7.0 does not properly retrieve user tokens from memcache, which allows remote authen…

CVSS: 6.0 CWE: CWE-255 View on NVD
2014-01-13
Low

CVE-2013-7291

memcached before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (crash) via a request that triggers an "unbounded key print" during logging, related to an…

CVSS: 1.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Low

CVE-2013-7290

The do_item_get function in items.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fault) via a…

CVSS: 1.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
Medium

CVE-2013-7239

memcached before 1.4.17 allows remote attackers to bypass authentication by sending an invalid request with SASL credentials, then sending another request with incorrect SASL credentials.

CVSS: 4.8 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2013-0179

The process_bin_delete function in memcached.c in memcached 1.4.4 and other versions before 1.4.17, when running in verbose mode, allows remote attackers to cause a denial of service (segmentation fa…

CVSS: 1.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-12-12
Medium

CVE-2011-4971

Multiple integer signedness errors in the (1) process_bin_sasl_auth, (2) process_bin_complete_sasl_auth, (3) process_bin_update, and (4) process_bin_append_prepend functions in Memcached 1.4.5 and ea…

CVSS: 5.0 CWE: CWE-189 View on NVD
2013-07-17
Medium

CVE-2013-3798

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.6.11 and earlier allows remote attackers to affect integrity and availability via unknown vectors related to MemCached.

CVSS: 5.8 CWE: N/A View on NVD
2013-04-17
Medium

CVE-2013-1570

Unspecified vulnerability in Oracle MySQL 5.6.10 and earlier allows remote attackers to affect availability via unknown vectors related to MemCached.

CVSS: 5.0 CWE: N/A View on NVD
2012-10-22
Critical

CVE-2012-4406

OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arb…

CVSS: 9.8 CWE: CWE-502 - Deserialization of Untrusted Data View on NVD
2010-04-12
Medium

CVE-2010-1152

memcached.c in memcached before 1.4.3 allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation. NOTE: some of these detai…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2009-08-10
Critical

CVE-2009-2415

Multiple integer overflows in memcached 1.1.12 and 1.2.2 allow remote attackers to execute arbitrary code via vectors involving length attributes that trigger heap-based buffer overflows.

CVSS: 10.0 CWE: CWE-189 View on NVD
2009-04-30
Medium

CVE-2009-1494

The process_stat function in Memcached 1.2.8 discloses memory-allocation statistics in response to a stats malloc command, which allows remote attackers to obtain potentially sensitive information by…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2009-1255

The process_stat function in (1) Memcached before 1.2.8 and (2) MemcacheDB 1.2.0 discloses (a) the contents of /proc/self/maps in response to a stats maps command and (b) memory-allocation statistics…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox