CVE-2022-35951
published 2022-09-23CVE-2022-35951: Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM`…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.74%
84.3th percentile
Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redis | < redis 5:7.0.5-1 (bookworm) | redis 5:7.0.5-1 (bookworm) |
| fedoraproject | fedora | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:7.0.5-1 | 5:7.0.5-1 |
| redis | redis | >= 0 < 5:7.0.5-1 | 5:7.0.5-1 |
| redis | redis | >= 0 < 5:7.0.5-1 | 5:7.0.5-1 |
| redis | redis | >= 7.0.0 < 7.0.5 | 7.0.5 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger command for CVE-2022-35951 is XAUTOCLAIM executed on a stream key in a specific state with a specially crafted COUNT argument, leading to integer overflow and heap overflow ↗
- →Monitor Redis instances running versions 7.0.0 through 7.0.4 (inclusive) for XAUTOCLAIM commands with anomalous COUNT argument values (e.g., extremely large or negative integers indicative of overflow attempts) ↗
- ·Only Redis versions 7.0.0–7.0.4 are affected; Redis 6.x (including rh-redis6-redis and redis:6) is NOT affected. Ensure version checks in detection logic are scoped accordingly. ↗
- ·No known workarounds exist; the only mitigation is patching to Redis 7.0.5 or later. ↗
- ·Multiple Red Hat packages (RHEL 8/9, OpenStack, Quay, Ansible, RHACM, Fuse, RHSC) ship Redis 6.x and are explicitly marked Not Affected — do not alert on these. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
redis: heap overflow in XAUTOCLAIM command's COUNT argument
vendor_redhat·2022-09-22·CVSS 7.0
CVE-2022-35951 [HIGH] CWE-190 redis: heap overflow in XAUTOCLAIM command's COUNT argument
redis: heap overflow in XAUTOCLAIM command's COUNT argument
Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.
An Integer Overflow attack vulnerability was found in Redis, an in-memory database that persists on disk. Executing a `XAUTOCLAIM` command on a stream key in a specific state with a specially crafted `COUNT` argument may cause an integer overflow, and a subsequent heap overflow, potentially leading to remote c
Debian
CVE-2022-35951: redis - Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, ...
vendor_debian·2022·CVSS 7.0
CVE-2022-35951 [HIGH] CVE-2022-35951: redis - Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, ...
Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.
Scope: local
bookworm: resolved (fixed in 5:7.0.5-1)
bullseye: resolved
forky: resolved (fixed in 5:7.0.5-1)
sid: resolved (fixed in 5:7.0.5-1)
trixie: resolved (fixed in 5:7.0.5-1)
OSV
CVE-2022-35951: Redis is an in-memory database that persists on disk
osv·2022-09-23·CVSS 9.8
CVE-2022-35951 [CRITICAL] CVE-2022-35951: Redis is an in-memory database that persists on disk
Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/redis/redis/security/advisories/GHSA-5gc4-76rx-22c9https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7INCOOFPPEAKNDBZU3TIZJPYXBULI2C/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20221020-0005/https://github.com/redis/redis/security/advisories/GHSA-5gc4-76rx-22c9https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A7INCOOFPPEAKNDBZU3TIZJPYXBULI2C/https://security.gentoo.org/glsa/202209-17https://security.netapp.com/advisory/ntap-20221020-0005/
2022-09-23
Published