CVE-2021-32626
published 2021-10-04CVE-2021-32626: Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the…
PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.13%
96.3th percentile
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | redis | < redis 5:6.0.16-1 (bookworm) | redis 5:6.0.16-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl2_redis_6.2.6-1_on_cbl_mariner_2.0 | — | — |
| msrc | cm1_redis_5.0.14-1_on_cbl_mariner_1.0 | — | — |
| oracle | communications_operations_monitor | — | — |
| oracle | communications_operations_monitor | — | — |
| oracle | communications_operations_monitor | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:6.0.16-1+deb11u1 | 5:6.0.16-1+deb11u1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 5:6.0.16-1 | 5:6.0.16-1 |
| redis | redis | >= 0 < 2:2.8.4-2ubuntu0.2+esm2 | 2:2.8.4-2ubuntu0.2+esm2 |
| redis | redis | >= 0 < 2:3.0.6-1ubuntu0.4+esm1 | 2:3.0.6-1ubuntu0.4+esm1 |
| redis | redis | >= 0 < 5:4.0.9-1ubuntu0.2+esm3 | 5:4.0.9-1ubuntu0.2+esm3 |
| redis | redis | >= 0 < 5:5.0.7-2ubuntu0.1+esm1 | 5:5.0.7-2ubuntu0.1+esm1 |
| redis | redis | >= 2.6 < 5.0.14 | 5.0.14 |
| redis | redis | >= 6.0.0 < 6.0.16 | 6.0.16 |
| redis | redis | >= 6.2.0 < 6.2.6 | 6.2.6 |
Detection & IOCsextracted from sources · hover to see the quote
- →Restrict or monitor use of EVAL and EVALSHA Redis commands, which are the attack vector for triggering the heap-based Lua stack overflow in CVE-2021-32626. ↗
- →Any Redis instance running versions prior to 5.0.14, 6.0.16, or 6.2.6 with Lua scripting enabled (starting from Redis 2.6) is vulnerable; flag such instances in your environment. ↗
- →Alert on specially crafted Lua scripts submitted to Redis (via EVAL/EVALSHA) that may attempt to overflow the heap-based Lua stack, potentially indicating exploitation attempts. ↗
- ·Mitigation (without patching) requires using Redis ACLs to block EVAL and EVALSHA commands for untrusted users; this disables all Lua scripting functionality. ↗
- ·Red Hat Ansible Tower 3 ships an affected version of Redis; Red Hat 3scale API Management Platform 2, Ansible Automation Platform 1.2, RHEL 9, and rh-redis6-redis (Software Collections) are listed as not affected. ↗
- ·Oracle Communications (FDP/Redis component) is affected via TCP network protocol with a CVSS score of 8.8; remote exploit is listed as 'No' in Oracle's matrix, meaning authentication or adjacent access may be required. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_msrc8.8HIGH
vendor_oracle8.8HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Redis vulnerabilities
vendor_ubuntu·2022-08-03·CVSS 5.4
CVE-2021-41099 [MEDIUM] Redis vulnerabilities
Title: Redis vulnerabilities
Summary: Several security issues were fixed in Redis.
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2021-32626)
It was discovered that Redis incorrectly handled some malformed requests
when using Redis Lua Debugger. A remote attacker could possibly use this
issue to cause a denial of service or other unspecified impact. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-32672)
It was discovered that Redis incorrectly handled certain Redis Standard
Protocol (RESP) requests. A remote attacker could possibly use this issue
to cause a denial of service. (CVE-2021-32675)
It was discovered t
Oracle
Oracle Oracle Communications Risk Matrix: FDP (Redis) — CVE-2021-32626
vendor_oracle·2022-04-15·CVSS 8.8
CVE-2021-32626 [HIGH] Oracle Oracle Communications Risk Matrix: FDP (Redis) — CVE-2021-32626
Oracle Oracle Communications Risk Matrix: FDP (Redis) vulnerability
CVE: CVE-2021-32626
CVSS: 8.8
Protocol: TCP
Remote exploit: No
Affected versions: Network
Advisory: cpuapr2022 (APR 2022)
Microsoft
Lua scripts can overflow the heap-based Lua stack in Redis
vendor_msrc·2021-10-12·CVSS 8.8
CVE-2021-32626 [HIGH] CWE-122 Lua scripts can overflow the heap-based Lua stack in Redis
Lua scripts can overflow the heap-based Lua stack in Redis
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: http
Red Hat
redis: Lua scripts can overflow the heap-based Lua stack
vendor_redhat·2021-10-04·CVSS 7.5
CVE-2021-32626 [HIGH] CWE-787 redis: Lua scripts can overflow the heap-based Lua stack
redis: Lua scripts can overflow the heap-based Lua stack
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
A heap buffer overflow was found in redis. S
Debian
CVE-2021-32626: redis - Redis is an open source, in-memory database that persists on disk. In affected v...
vendor_debian·2021·CVSS 7.5
CVE-2021-32626 [HIGH] CVE-2021-32626: redis - Redis is an open source, in-memory database that persists on disk. In affected v...
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Scope: local
bookworm: resolved (fixed in 5:6.0.16-1)
bullseye: resolved (fixed in 5:6.0.16-1+deb11u1)
OSV
redis vulnerabilities
osv·2022-08-03·CVSS 8.8
CVE-2021-32626 [HIGH] redis vulnerabilities
redis vulnerabilities
It was discovered that Redis incorrectly handled certain specially crafted
Lua scripts. A remote attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2021-32626)
It was discovered that Redis incorrectly handled some malformed requests
when using Redis Lua Debugger. A remote attacker could possibly use this
issue to cause a denial of service or other unspecified impact. This issue
only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2021-32672)
It was discovered that Redis incorrectly handled certain Redis Standard
Protocol (RESP) requests. A remote attacker could possibly use this issue
to cause a denial of service. (CVE-2021-32675)
It was discovered that Redis incorrectly handled some configuration
parameters wi
OSV
CVE-2021-32626: Redis is an open source, in-memory database that persists on disk
osv·2021-10-04·CVSS 8.8
CVE-2021-32626 [HIGH] CVE-2021-32626: Redis is an open source, in-memory database that persists on disk
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
No detection rules found.
No public exploits indexed.
https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782chttps://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20211104-0003/https://www.debian.org/security/2021/dsa-5001https://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782chttps://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20211104-0003/https://www.debian.org/security/2021/dsa-5001https://www.oracle.com/security-alerts/cpuapr2022.html
2021-10-04
Published