Critical Redis Vulnerabilities Expose Systems to Remote Code Execution
Recent discoveries have unveiled five critical vulnerabilities within Redis, the widely utilized in-memory data structure store. These flaws pose significant security risks, potentially allowing authenticated attackers to execute arbitrary code remotely, leading to full system compromise, data exfiltration, or service disruption.
Overview of the Vulnerabilities
On May 5, 2026, Redis disclosed these vulnerabilities, affecting Redis Cloud, Redis Software, and all open-source community editions. Four of these vulnerabilities have been rated as High severity with Common Vulnerability Scoring System (CVSS) scores of 7.7, while one has been assigned a Medium severity score of 6.1.
Detailed Analysis of Each Vulnerability
1. CVE-2026-23479: Use-After-Free in Unblock Client Flow
This vulnerability arises when a blocked client is evicted during the re-execution of a blocked command. The Redis code fails to handle the error returned by the `processCommandAndResetClient` function, leading to a use-after-free condition. An authenticated attacker can exploit this flaw to execute arbitrary code within the Redis server context.
2. CVE-2026-25243: Invalid Memory Access via RESTORE Command
An authenticated user can send a specially crafted serialized payload to the `RESTORE` command, triggering invalid memory access. This flaw can potentially lead to arbitrary code execution within the Redis server. Independent researcher Emil Lerner discovered a double-free variant of this issue, while Joseph Surin identified an integer overflow and out-of-bounds read in VectorSets.
3. CVE-2026-25588 and CVE-2026-25589: Flaws in RESTORE Command with RedisTimeSeries and RedisBloom Modules
These vulnerabilities are closely related and affect the `RESTORE` command when used with the RedisTimeSeries and RedisBloom modules, respectively. Authenticated attackers can trigger invalid memory accesses via crafted serialized payloads, resulting in potential remote code execution. Researchers Joseph Surin, John Stephenson, and Annie Nie discovered the TimeSeries flaw, while Daniel Firer and Joseph Surin identified multiple issues in RedisBloom, including out-of-bounds reads and writes, integer overflow, and heap buffer overflow.
4. CVE-2026-23631: Lua Use-After-Free Vulnerability
This medium-severity flaw involves a use-after-free condition in the Lua scripting engine. An authenticated user can exploit the master-replica synchronization mechanism to trigger this vulnerability. It specifically affects Redis replicas configured with `replica-read-only` disabled and exists across all Redis versions with Lua scripting enabled. Researcher Yoni Sherez (@yoyosh__) discovered this flaw.
Impacted Versions and Immediate Actions
All Redis Cloud deployments have been patched, requiring no customer action. However, self-managed deployments are affected across all Redis OSS/CE releases. The following fixed versions have been released:
– Redis OSS/CE: 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.
– Redis Software: Versions up to and including 8.0.6 are impacted, with fixes available in builds 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153.
– Module-Specific Fixes: RedisTimeSeries v1.12.14, v1.10.24, v1.8.23, and RedisBloom v2.8.20, v2.6.28, v2.4.23.
Mitigation Strategies
While there is no evidence of active exploitation as of the publication date, organizations running self-managed instances should take immediate action:
1. Upgrade to the Latest Fixed Release: This is the primary remediation step. Downloads are available at redis.io/downloads.
2. Restrict Network Access: Use firewalls and network policies to allow only trusted sources to access Redis instances.
3. Enforce Strong Authentication: Implement robust authentication mechanisms to prevent unauthorized access.
4. Monitor and Audit Logs: Regularly review logs for any unusual activity that may indicate exploitation attempts.
Conclusion
The discovery of these vulnerabilities underscores the importance of proactive security measures and timely updates. Organizations utilizing Redis should prioritize patching their systems and implementing the recommended mitigations to safeguard against potential remote code execution attacks.
