SB2026042759 - Debian update for valkey

Security Bulletin ID SB2026042759

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Neutralization (CVE-ID: CVE-2025-67733)

The vulnerability allows a remote user to corrupt response data for other users on the same connection.

The vulnerability exists due to improper handling of null characters in lua script error handling code when processing scripting command error replies. A remote user can use scripting commands to inject arbitrary information into the response stream to corrupt response data for other users on the same connection.

The issue can affect other users sharing the same connection.

2) Out-of-bounds read (CVE-ID: CVE-2026-21863)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in the clusterbus packet processing code when processing a malformed clusterbus ping extension packet. A remote attacker can send a specially crafted clusterbus packet to cause a denial of service.

Exploitation requires access to the Valkey clusterbus port.

Remediation

Install update from vendor's website.

References

https://lists.debian.org/debian-security-announce/2026/msg00107.html