Main Vulnerability Database Vulnerabilities #VU130202

Use-after-free in Redis - CVE-2026-23479

Published: May 5, 2026

Vulnerability identifier: #VU130202

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-23479

CWE-ID: CWE-416

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Redis

Software vendor:
Redis Labs

Description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to use-after-free in the unblock client flow when a blocked client is evicted while re-executing a blocked command. A remote user can trigger this condition to execute arbitrary code.

The issue occurs because processCommandAndResetClient does not handle an error return value in this flow.

Remediation

Install security update from vendor's website.

External links

https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3

Use-after-free in Redis - CVE-2026-23479

Description

Remediation

External links

Please verify you're human