SB20260509121 - Fedora EPEL 8 update for valkey

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260509121

SB20260509121 - Fedora EPEL 8 update for valkey

Published: May 9, 2026

Security Bulletin ID SB20260509121
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2026-23479)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in the unblock client flow when a blocked client is evicted while re-executing a blocked command. A remote user can trigger this condition to execute arbitrary code.

The issue occurs because processCommandAndResetClient does not handle an error return value in this flow.


2) Heap-based buffer overflow (CVE-ID: CVE-2026-25243)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper input validation in the RESTORE command when processing a specially crafted serialized payload. A remote user can send a specially crafted serialized payload to execute arbitrary code.

Exploitation requires permission to execute the RESTORE command.


3) Use-after-free (CVE-ID: CVE-2026-23631)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in the Lua scripting synchronization mechanism when exploiting master-replica synchronization. A remote user can trigger the flaw through crafted Lua script execution to execute arbitrary code.

Only replicas with replica-read-only disabled are vulnerable.


Remediation

Install update from vendor's website.

References