CVE-2019-11596

In memcached before 1.5.14, a NULL pointer dereference was found in the lru mode and lru temp_ttl commands. This causes a denial of service when parsing crafted lru command messages in process_lru_command in memcached.c.

Weakness

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

Affected Software

Name	Vendor	Start Version	End Version
Memcached	Memcached	*	1.5.14 (excluding)
Red Hat Enterprise Linux 8	RedHat	memcached-0:1.5.9-3.el8	*
Red Hat OpenStack Platform 13.0 (Queens)	RedHat	memcached-0:1.4.39-3.el7ost	*
Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS	RedHat	memcached-0:1.4.39-3.el7ost	*
Memcached	Ubuntu	bionic	*
Memcached	Ubuntu	cosmic	*
Memcached	Ubuntu	devel	*
Memcached	Ubuntu	disco	*
Memcached	Ubuntu	upstream	*

Potential Mitigations

References

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00060.html
https://github.com/memcached/memcached/commit/d35334f368817a77a6bd1f33c6a5676b2c402c02
https://github.com/memcached/memcached/compare/ee1cfe3...50bdc9f
https://github.com/memcached/memcached/issues/474
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UUE3QBMP5UWTXMPKJREUICH6DIK6SOBX/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y2CCWRM4LHB253KG5SPOKRVDCXQX5VZR/
https://usn.ubuntu.com/3963-1/

NVD	https://nvd.nist.gov/vuln/detail/CVE-2019-11596
CWE	https://cwe.mitre.org/data/definitions/476.html

NULL Pointer Dereference

Weakness

Affected Software

Potential Mitigations

References