SB20260505114 - Multiple vulnerabilities in Redis

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2026-23631)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in the Lua scripting synchronization mechanism when exploiting master-replica synchronization. A remote user can trigger the flaw through crafted Lua script execution to execute arbitrary code.

Only replicas with replica-read-only disabled are vulnerable.

2) Use-after-free (CVE-ID: CVE-2026-23479)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in the unblock client flow when a blocked client is evicted while re-executing a blocked command. A remote user can trigger this condition to execute arbitrary code.

The issue occurs because processCommandAndResetClient does not handle an error return value in this flow.

3) Heap-based buffer overflow (CVE-ID: CVE-2026-25243)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the RESTORE command when processing a specially crafted serialized payload. A remote user can send a specially crafted serialized payload to execute arbitrary code.

Exploitation requires permission to execute the RESTORE command.

Remediation

Install update from vendor's website.

References

• https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826
• https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3
• https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4