The PHP memcached library uses PHP serialization. If an attacker succeeds in placing malicious data in memcached (which does not require authentication), that malicious data will be unserialized when read via the PHP memcached library. unserialize is unsafe for untrusted data. Among other things, it may trigger code execution via the __wakeup method.
We should find a way to prevent the PHP memcached library from unserializing arbitrary data. Perhaps it can be patched to use JSON serialization instead.
This task was factored out of T161647: RFC: Deprecate using php serialization inside MediaWiki.