By rssfeeds-admin The advisory, published May 5, 2026, by Redis Chief Information Security Officer Riaz Lakhani, covers CVE-2026-23479, CVE-2026-25243, CVE-2026-25588, CVE-2026-25589, and CVE-2026-23631.
Organizations running self-managed Redis deployments are strongly urged to upgrade immediately, as exploitation could lead to full system compromise, data exfiltration, or service disruption.
Inside the Five Redis Security Flaws
The most technically complex of the five is CVE-2026-23479, carrying a CVSS score of 7.7 (High). This flaw involves a use-after-free vulnerability in Redis’s unblock client flow.
When a blocked client is evicted while re-executing a blocked command, an authenticated user can trigger memory corruption that could lead to RCE.
The root cause lies in improper error handling within the processCommandAndResetClient function.
This vulnerability was discovered and reported by Team Xint Code, consisting of researchers Tim Becker, Jacob Newman, and Juno IM, through the Wiz ZeroDay.Cloud platform.
CVE-2026-25243, also scored 7.7 (High), targets the Redis RESTORE command. An authenticated user can supply a specially crafted serialized payload to trigger invalid memory access, potentially enabling arbitrary code execution.
Emil Lerner identified a double-free condition in this flaw, while Joseph Surin independently uncovered an integer overflow and out-of-bounds read, demonstrating the vulnerability’s complex attack surface.
CVE-2026-25588 and CVE-2026-25589 both score 7.7 (High) and extend the RESTORE command vulnerability to Redis modules.
CVE-2026-25588 affects the RedisTimeSeries module and was reported by Team Skateboarding Dog Joseph Surin, John Stephenson, and Annie Nie.
CVE-2026-25589 targets the RedisBloom module and was identified by Daniel Firer and Joseph Surin.
In both cases, an authenticated attacker can craft a maliciously serialized payload to trigger invalid memory access and achieve RCE within the Redis server’s execution context.
The ability to reach RCE through trusted module interfaces makes these findings particularly concerning for organizations using Redis’s extended ecosystem.
The fifth vulnerability, CVE-2026-23631, is rated Medium with a CVSS score of 6.1. It is a Lua use-after-free flaw that allows an authenticated user to exploit the master-replica synchronization mechanism to trigger memory corruption.
This flaw specifically impacts Redis replicas configured with replica-read-only disabled and is present across all Redis versions with Lua scripting enabled.
Researcher Yoni Sherez discovered this vulnerability. Although rated Medium, its presence in the replication layer makes it a meaningful risk for distributed Redis deployments.
All five CVEs affect Redis OSS/CE and Redis Software versions up to and including 8.0.6. Redis has released patches across multiple supported branches.
Fixed versions for Redis OSS/CE include 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. For Redis Software, patched builds are available as 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.
Module-specific fixes have also been released. RedisTimeSeries patches are available in versions 1.12.14, 1.10.24, and 1.8.23, while RedisBloom fixes are included in versions 2.8.20, 2.6.28, and 2.4.23.
Redis Cloud customers are already protected, as patches were deployed automatically with no action required on their part.
For all self-managed deployments, Redis strongly recommends upgrading to a fixed release without delay.
Beyond patching, organizations should restrict network access to Redis instances using firewalls and network policies, enforce strong authentication, and enable protected mode.
Limiting user permissions to only necessary commands reduces the attack surface for authenticated-attacker scenarios.
Security teams should also actively monitor for anomalous behavior, including unexpected server crashes, unknown command execution, and unusual network traffic to or from the Redis database.
Given that all five vulnerabilities require only authenticated access, not administrator-level privileges, the potential for exploitation in multi-tenant or misconfigured environments is significant, making rapid remediation a priority.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Redis Vulnerabilities Enable Remote Code Execution Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.