Do Son 
- Product: Apache Software Foundation Apache Kvrocks
- Vulnerabilities: 2 flaws (CVE-2026-46752, CVE-2026-41566)
- Highest severity: 10 (Critical · CVSSv4)
- Worst impact: Stack buffer overflow in Lua bit.tohex()
- Status: No confirmed exploitation yet
- Action: Update Apache Kvrocks to version 2.16.0 now!
| CVE | CVSS (CVSSv4) | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-46752 | 10 | Stack buffer overflow in Lua bit.tohex() | — | Not exploited |
| CVE-2026-41566 | 9.4 | Improper permission for the APPLYBATCH command | — | Not exploited |
TL;DR
Security researchers disclosed five Apache Kvrocks vulnerabilities. The most severe issue carries a critical CVSS 10 rating. Administrators must upgrade their instances to protect their NoSQL database systems.
Why it matters
Apache Kvrocks operates as a distributed key-value NoSQL database. It serves as a high-capacity alternative to Redis. Therefore, these Apache Kvrocks vulnerabilities pose a severe risk to enterprise data storage. Attackers could crash server processes or execute arbitrary code. The exact number of affected installations remains unknown. Furthermore, the vendor has not confirmed active exploitation in the wild. No public proof-of-concept exploits exist yet.
How the attack works
The flaws involve several different attack mechanisms. First, CVE-2026-46752 causes a stack buffer overflow in the Lua bit.tohex() function. Second, CVE-2026-41566 allows improper permissions during the APPLYBATCH command. Third, CVE-2026-46751 leaves the unsafe loadstring function inside the Lua sandbox. This allows attackers to run unvalidated bytecode. Additionally, CVE-2026-45188 enables path traversal during replication synchronization. Finally, CVE-2026-54226 triggers an integer overflow leading to a remote denial of service.
Affected versions
These NoSQL database flaws impact multiple versions of the software. The earliest vulnerable release dates back to version 1.0.0.
- Versions 1.0.0 through 2.15.0 (Path Traversal)
- Versions 2.0.4 through 2.15.0 (Buffer Overflow)
- Versions 2.2.0 through 2.15.0 (Lua Sandbox DoS)
- Versions 2.6.0 through 2.15.0 (Integer Overflow)
- Versions 2.8.0 through 2.15.0 (Improper Permission)
Patch or mitigation steps
The Apache Software Foundation released security updates to fix these issues. Administrators must upgrade to version 2.16.0 immediately. You can find the latest release on the official Apache Kvrocks download page. Applying this update fully resolves all five security defects.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
