SB2026042761 - Fedora 44 update for valkey
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Improper Neutralization (CVE-ID: CVE-2025-67733)
CWE-ID: CWE-707 - Improper Neutralization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to corrupt response data for other users on the same connection.
The vulnerability exists due to improper handling of null characters in lua script error handling code when processing scripting command error replies. A remote user can use scripting commands to inject arbitrary information into the response stream to corrupt response data for other users on the same connection.
The issue can affect other users sharing the same connection.
2) Out-of-bounds read (CVE-ID: CVE-2026-21863)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the clusterbus packet processing code when processing a malformed clusterbus ping extension packet. A remote attacker can send a specially crafted clusterbus packet to cause a denial of service.
Exploitation requires access to the Valkey clusterbus port.
3) Input validation error (CVE-ID: CVE-2026-27623)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to improper input validation in the request processing logic when handling malformed RESP requests after an empty request. A remote attacker can send a specially crafted request to cause a denial of service.
The issue can trigger an assertion failure that causes the server to abort and shut down.
Remediation
Install update from vendor's website.