SB2026042756 - Multiple vulnerabilities in Valkey

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2026-21863)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the clusterbus packet processing code when processing a malformed clusterbus ping extension packet. A remote attacker can send a specially crafted clusterbus packet to cause a denial of service.

Exploitation requires access to the Valkey clusterbus port.

2) Improper Neutralization (CVE-ID: CVE-2025-67733)

The vulnerability allows a remote user to corrupt response data for other users on the same connection.

The vulnerability exists due to improper handling of null characters in lua script error handling code when processing scripting command error replies. A remote user can use scripting commands to inject arbitrary information into the response stream to corrupt response data for other users on the same connection.

The issue can affect other users sharing the same connection.

3) Input validation error (CVE-ID: CVE-2026-27623)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in the request processing logic when handling malformed RESP requests after an empty request. A remote attacker can send a specially crafted request to cause a denial of service.

The issue can trigger an assertion failure that causes the server to abort and shut down.

Remediation

Install update from vendor's website.

References

• https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq
• https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m
• https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr