CVE-2022-48571: 
Memcached vulnerability analysis and mitigation

Memcached version 1.6.7 was discovered to contain a Denial of Service vulnerability (CVE-2022-48571) that occurs when handling multi-packet uploads in UDP mode. The vulnerability was discovered in July 2023 and affects the high-performance memory object caching system (CVE Details, Debian Security).

The vulnerability stems from incorrect handling of multi-packet uploads in UDP mode. When receiving multi-packet requests, the system attempts to write an error message in response, but due to an uninitialized mc_resp object, it leads to a null reference crash. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (Ubuntu Security).

The vulnerability can be exploited to cause a Denial of Service condition in affected Memcached installations. However, deployments that only use TCP are likely unaffected by this issue (Debian LTS).

The vulnerability has been fixed in multiple versions across different distributions. Ubuntu has released fixes for versions 20.04 LTS (1.5.22-2ubuntu0.3), 18.04 LTS (1.5.6-0ubuntu1.2+esm1), and 16.04 LTS (1.4.25-2ubuntu1.5+esm1). Debian has addressed the issue in version 1.5.6-1.1+deb10u1 for Debian 10 buster. The fix involves dropping multi-packet requests quietly instead of attempting to write an error message (Ubuntu Notice, GitHub Commit).