Ddos 
The popular in-memory data structure store Redis has released a series of security updates to address five significant vulnerabilities that could lead to Remote Code Execution (RCE). These flaws, primarily impacting memory management and specific command processing, allow authenticated users to potentially seize control of the Redis server process.
While Redis Cloud customers have already been automatically protected, administrators of self-managed Redis Software, Open Source (OSS), and Community Edition (CE) versions are urged to upgrade to the latest patched releases immediately.
The most prominent threats in this advisory involve invalid memory access vulnerabilities within the RESTORE command. Tracked as CVE-2026-25243, CVE-2026-25588, and CVE-2026-25589, these flaws carry high-severity CVSS scores of 7.7.
According to the advisory, “A vulnerability in the Redis RESTORE command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution”.
These risks extend beyond the core engine to specialized modules. CVE-2026-25588 specifically impacts the RedisTimeSeries module, while CVE-2026-25589 targets the RedisBloom module. Successful exploitation in any of these cases could lead to “full compromise of the affected system, data exfiltration, or service disruption”.
Two other critical vulnerabilities involve Use-After-Free (UAF) conditions, which occur when a program continues to use a memory pointer after it has been freed:
- Unblock Client Flow (CVE-2026-23479): Triggered when a blocked client is evicted while re-executing a command. The advisory notes that “the code doesn’t handle the case where processing the command (processCommandAndResetClient) returns an error value,” creating an opening for RCE.
- Lua Scripting (CVE-2026-23631): An authenticated user can exploit the master-replica synchronization mechanism to trigger a UAF vulnerability. This specific bug affects all versions of Redis with Lua scripting where replica-read-only is disabled.
Redis emphasizes that because these are post-authentication issues, an attacker must first gain access to the Redis instance to exploit them.
| Vulnerability | CVSS | Primary Impacted Component | Fixed OSS/CE Versions |
| CVE-2026-23479 | 7.7 | Unblock Client Flow | 6.2.22, 7.2.14, 7.4.9, 8.2.6+ |
| CVE-2026-25243 | 7.7 | RESTORE Command | 6.2.22, 7.2.14, 7.4.9, 8.2.6+ |
| CVE-2026-25588 | 7.7 | RedisTimeSeries Module | 1.12.14, 1.10.24, 1.8.23 |
| CVE-2026-25589 | 7.7 | RedisBloom Module | 2.8.20, 2.6.28, 2.4.23 |
| CVE-2026-23631 | 6.1 | Lua / Master-Replica Sync | 6.2.22, 7.2.14, 7.4.9, 8.2.6+ |
To minimize the risk of exploitation, Redis recommends the following security hygiene:
- Restrict Network Access: Use firewalls to ensure only authorized systems can reach the database.
- Enforce Strong Authentication: Avoid unauthenticated configurations and ensure protected-mode is enabled.
- Limit Permissions: Grant user identities the minimum permissions necessary and restrict access to “potentially risky commands”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
