cbcvebase.
CVE-2022-35951
published 2022-09-23

CVE-2022-35951: Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM`…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.74%
84.3th percentile
Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianredis< redis 5:7.0.5-1 (bookworm)redis 5:7.0.5-1 (bookworm)
fedoraprojectfedora
redisredis
redisredis>= 0 < 5:7.0.5-15:7.0.5-1
redisredis>= 0 < 5:7.0.5-15:7.0.5-1
redisredis>= 0 < 5:7.0.5-15:7.0.5-1
redisredis>= 7.0.0 < 7.0.57.0.5

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger command for CVE-2022-35951 is XAUTOCLAIM executed on a stream key in a specific state with a specially crafted COUNT argument, leading to integer overflow and heap overflow
  • Monitor Redis instances running versions 7.0.0 through 7.0.4 (inclusive) for XAUTOCLAIM commands with anomalous COUNT argument values (e.g., extremely large or negative integers indicative of overflow attempts)
  • ·Only Redis versions 7.0.0–7.0.4 are affected; Redis 6.x (including rh-redis6-redis and redis:6) is NOT affected. Ensure version checks in detection logic are scoped accordingly.
  • ·No known workarounds exist; the only mitigation is patching to Redis 7.0.5 or later.
  • ·Multiple Red Hat packages (RHEL 8/9, OpenStack, Quay, Ansible, RHACM, Fuse, RHSC) ship Redis 6.x and are explicitly marked Not Affected — do not alert on these.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.