Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <50aaff09-7d4b-4bb9-973a-281be4361896@oracle.com>
Date: Wed, 3 Jun 2026 12:24:24 -0700
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: 5 CVEs in Redis

On May 5, Redis published this advisory, which doesn't seem to have
made it to oss-security yet:
https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/

The portions relating to their open-source releases are as follows:
> What happened?
> --------------
> As part of an ongoing effort by the Redis community and Redis to maintain
> safety, security, and compliance posture, five security vulnerabilities in
> Redis have been proactively identified and remediated in the versions
> indicated below.
> 
> 
> What are the vulnerabilities?
> -----------------------------
>  1. CVE‑2026‑23479 – Use-After-Free in unblock client flow may lead to
>     Remote Code Execution.
>     CVSS Score: 7.7 (High)
> 
>     When a blocked client is evicted while re-executing a blocked command,
>     an authenticated user may trigger a use-after-free and potentially lead
>     to remote code execution. The code doesn't handle the case where processing
>     the command (processCommandAndResetClient) returns an error value.
> 
>  2. CVE‑2026‑25243 – Invalid Memory Access in Redis RESTORE Command May Lead
>     to Remote Code Execution.
>     CVSS Score: 7.7 (High)
> 
>     A vulnerability in the Redis RESTORE command allows an authenticated user
>     to trigger an invalid memory access via a specially crafted serialized
>     payload, potentially resulting in remote code execution.
> 
>     Successful exploitation could allow an attacker with authenticated access
>     to execute arbitrary code in the context of the Redis server, potentially
>     leading to full compromise of the affected system, data exfiltration, or
>     service disruption.
> 
>  3. CVE-2026-25588 - Invalid Memory Access in RESTORE Command When Used with
>     RedisTimeSeries module May Lead to Remote Code Execution.
>     CVSS Score: 7.7 (High)
> 
>     A vulnerability in the RESTORE command, when used with the RedisTimeSeries
>     module, allows an authenticated attacker to trigger invalid memory access
>     via a specially crafted serialized payload, potentially resulting in remote
>     code execution.
> 
>     Successful exploitation could allow an attacker with authenticated access
>     to execute arbitrary code in the context of the Redis server, when used
>     with the RedisTimeSeries module, potentially leading to full compromise
>     of the affected system, data exfiltration, or service disruption.
> 
>  4. CVE‑2026‑25589 – Invalid Memory Access in RESTORE Command When Used
>     with RedisBloom module May Lead to Remote Code Execution.
>     CVSS Score: 7.7 (High)
> 
>     A vulnerability in the RESTORE command, when used with the RedisBloom
>     module, allows an authenticated attacker to trigger invalid memory access
>     via a specially crafted serialized payload, potentially resulting in remote
>     code execution.
> 
>     Successful exploitation could allow an attacker with authenticated access
>     to execute arbitrary code in the context of the Redis server, when used
>     with the RedisBloom module, potentially leading to full compromise of the
>     affected system, data exfiltration, or service disruption.
> 
>  5. CVE-2026-23631 - Lua Use-After-Free may lead to remote code execution.
>     CVSS Score: 6.1 (Medium)
> 
>     An authenticated user may exploit the synchronization mechanism of the
>     master-replica and trigger a use-after-free vulnerability, potentially
>     leading to remote code execution. The bug affects only replicas that
>     are configured, or may be configured with replica-read-only disabled,
>     and exists in all versions of Redis with Lua scripting.
> 
> How can you protect your Redis instance?
> ----------------------------------------
> 
> If you’re self-managing Redis Software, Open Source (OSS), or Community (CE)
> versions, there are several steps you should take to protect your Redis from
> exploitation. Exposure to these vulnerabilities requires an attacker to gain
> authenticated access to your Redis instance, making this a post-authentication
> issue that can lead to remote code execution (RCE).
> 
> To remediate against these vulnerabilities, upgrade your Redis to the latest
> versions, see our table below for full details. To minimize the risk of
> exploitation, it’s important to follow these best practices:
> 
>   * Restrict Network Access: Ensure that only authorized users and systems
>     have access to the Redis database. Use firewalls and network policies to
>     limit access to trusted sources and prevent unauthorized connectivity.
>   * Enforce Strong Authentication: Enforce the use of credentials for all
>     access to Redis instances. Avoid configurations that allow unauthenticated
>     access, and ensure protected-mode is enabled (in CE and OSS) to prevent
>     accidental exposure.
>   * Limit Permissions: Ensure that user identities with access to Redis are
>     granted the minimum permissions necessary. Only allow trusted identities
>     to run potentially risky commands.
>   * Update Regularly: Keep Redis updated to the latest version for the newest
>     security patches.
> 
> For more details on how to securely configure, deploy, and use Redis, visit
> the Community Edition documentation sites.
> 
> Am I impacted and how can I remediate?
> --------------------------------------
> 
> If you’re self-managing Redis, upgrade your Redis to the latest release.
> 
> The versions of Redis OSS/CE listed below and future versions include the
> corrections. Once the upgrades are performed, the vulnerability will be
> remediated in your environment.
> 
> You can download the latest versions here: https://redis.io/downloads/
> 
> Vulnerability    Impacted releases           Fixed releases
> -------------    -----------------           --------------
> CVE-2026-23479   All Redis OSS/CE releases   OSS/CE 6.2.22, 7.2.14, 7.4.9,
>                                               8.2.6, 8.4.3, 8.6.3
> 
> CVE-2026-25243   All Redis OSS/CE releases   OSS/CE 6.2.22, 7.2.14, 7.4.9,
>                                               8.2.6, 8.4.3, 8.6.3
> 
> CVE-2026-25588   All Redis OSS/CE releases   OSS/CE 6.2.22, 7.2.14, 7.4.9,
>                                               8.2.6, 8.4.3, 8.6.3,
>                                              Redistimeseries v1.12.14,
>                                               v1.10.24, v1.8.23
> 
> CVE-2026-25589   All Redis OSS/CE releases   OSS/CE 6.2.22, 7.2.14, 7.4.9,
>                                               8.2.6, 8.4.3, 8.6.3,
>                                              RedisBloom: v2.8.20, v2.6.28, v2.4.23
> 
> CVE-2026-23631   All Redis OSS releases      OSS/CE 6.2.22, 7.2.14, 7.4.9,
>                  where replica-read-only      8.2.6, 8.4.3, 8.6.3
>                  is disabled
> 
> How can I tell if I was already exposed and how can I identify exploitation?
> ----------------------------------------------------------------------------
> 
> Refer to the table above to identify if you are on a vulnerable version.
> 
> As of this publication we have no evidence of exploitation of these
> vulnerabilities at Redis or in customer environments.
> 
> This isn’t a comprehensive guide, but it is a general recommendation you
> can adapt to your needs and operating environment.
> 
> There are a number of technical and behavioral indicators or artifacts that
> may be created if exploitation of the vulnerability occurred. If you search
> for these within your Redis environment, you should be able to detect
> potential exploitation related to your Redis instance.
> 
>   * Access to the Redis database from unauthorized or unknown sources
>   * Unknown or anomalous network ingress traffic to the Redis database
>   * Unexplained Redis server crashes, specifically crashes with a stack trace
>     that originates from the Lua engine
>   * Unknown, unexpected, or anomalous command execution by the redis-server user
>   * Unknown or anomalous network egress traffic (or attempts) from the Redis
>     database
>   * Unknown or anomalous changes to the file system, in particular in
>     directories that host Redis persistent or configuration files
> 
> Who gets the credit?
> --------------------
> 
> We thank the following researchers for their vigilance in reporting these
> vulnerabilities through our published process. We would also like to thank
> Wiz for the partnership and hosting Wiz ZeroDay.Cloud, where a number of
> these vulnerabilities were identified:
> 
>   * CVE‑2026‑23479 reported by independent researchers Team Xint Code
>     (Tim Becker @tjbecker, Jacob Newman, and Juno IM)
>   * CVE‑2026‑25243 the following issues were reported by:
>     - Redis: double-free, discovered by independent researcher Emil Lerner
>       (@emil_lerner)
>     - VectorSets - Integer overflow and Out-Of-Bounds read. discovered by the
>       independent researcher Joseph Surin.
>   * CVE-2026-25588 discovered by independent researchers Team Skateboarding Dog
>     (Joseph Surin, John Stephenson, and Annie Nie)
>   * CVE‑2026‑25589 – the following issues were reported by:
>     - RedisBloom: Out-Of-Bounds read/write, discovered by Daniel Firer
>     - RedisBloom - Integer overflow, heap buffer overflow, and Out-Of-Bounds
>       read/write, discovered by independent researcher Joseph Surin.
>   * CVE-2026-23631 discovered by independent researcher Yoni Sherez (@yoyosh__)

On June 2, Wiz published blogs with detailed reports at:
- https://www.zeroday.cloud/blog/redis-five-cves-overview
- https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive
- https://www.zeroday.cloud/blog/redis-cve-2026-23631-dark-replica
- https://www.zeroday.cloud/blog/redis-cve-2026-25243-deep-dive

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.