Login Sign Up

CVE-2022-26635

9.8 CRITICAL

📋 TL;DR

CVE-2022-26635 is an improper NULL termination vulnerability in PHP-Memcached v2.2.0 and below that allows attackers to execute CRLF injection attacks. This affects applications using vulnerable PHP-Memcached extensions to communicate with Memcached servers. Note that third parties dispute whether this directly affects PHP-Memcached itself.

💻 Affected Systems

Products:
  • php-memcached
Versions: v2.2.0 and below
Operating Systems: All operating systems running PHP with php-memcached extension
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP applications using the vulnerable php-memcached extension to communicate with Memcached servers. Third parties dispute direct impact on php-memcached.

📦 What is this software?

Memcached by Php

View all CVEs affecting Memcached →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could inject arbitrary commands into Memcached protocol, potentially leading to data manipulation, cache poisoning, or remote code execution depending on Memcached configuration.

🟠

Likely Case

CRLF injection allowing cache poisoning, data manipulation, or protocol manipulation affecting application behavior.

🟢

If Mitigated

Limited impact if proper input validation and output encoding are implemented at application level.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation details and bypass techniques are publicly documented in referenced sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.2.0 and above

Vendor Advisory: https://github.com/php-memcached-dev/php-memcached/issues/519

Restart Required: Yes

Instructions:

1. Update php-memcached extension to v3.2.0 or later. 2. Restart PHP-FPM or web server. 3. Verify extension version with php -m | grep memcached.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and output encoding in application code for all data sent to Memcached.

Network Segmentation

linux

Restrict Memcached server access to trusted application servers only using firewall rules.

iptables -A INPUT -p tcp --dport 11211 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 11211 -j DROP

🧯 If You Can't Patch

  • Implement application-level input validation and output encoding for all Memcached operations
  • Restrict Memcached server network access to specific application servers using firewall rules

🔍 How to Verify

Check if Vulnerable:

Check php-memcached extension version: php -i | grep 'memcached support' -A 5

Check Version:

php -i | grep 'memcached support' -A 5 | grep 'Version'

Verify Fix Applied:

Verify php-memcached extension version is v3.2.0 or later: php -i | grep 'memcached support' -A 5

📡 Detection & Monitoring

Log Indicators:

  • Unusual Memcached protocol patterns
  • Unexpected CRLF sequences in Memcached traffic logs

Network Indicators:

  • CRLF injection patterns in Memcached protocol traffic
  • Unusual Memcached command sequences

SIEM Query:

source="memcached.log" AND "\r\n" AND NOT expected_pattern

📊 Metadata

CVE ID: CVE-2022-26635
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 5, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON