CVE-2026-23479
published 2026-05-05CVE-2026-23479: Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.29%
66.5th percentile
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| boost | boost | — | — |
| redis | redis | — | — |
| redis | redis | — | — |
| redis | redis | >= 7.2.0 < 8.6.3 | 8.6.3 |
| redis_6 | redis | — | — |
| redis_7 | redis | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated Redis sessions issuing EVAL with 'tostring(redis.call)' — this is Stage 1 of the exploit chain used to leak a heap pointer. ↗
- →Detect exploit chain by watching for a single authenticated session combining CONFIG SET, EVAL, XREAD/XADD (stream commands), and SET/GET in close succession — this maps to the full three-stage RCE chain. ↗
- →Alert on Redis instances where the GOT is writable at runtime (partial RELRO); the official Redis Docker image ships with this configuration, making the function-pointer overwrite step of the exploit trivially achievable. ↗
- →The exploit overwrites strcasecmp() in the Global Offset Table to point to system(); any unexpected shell execution spawned from the Redis process (redis-server) should be treated as a strong post-exploitation indicator. ↗
- →Flag Redis deployments running versions 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, or 8.6.0–8.6.2 as unpatched and at risk; patched versions are 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3. ↗
- →Denying the @scripting ACL category kills the Stage 1 heap-address leak and breaks the full exploit chain, even though the underlying use-after-free in unblockClientOnKey() remains present. ↗
- →The vulnerable code path is triggered via unblockClientOnKey() in src/blocked.c; process-level crash telemetry or heap-corruption signals originating from this function should be investigated as potential exploitation attempts. ↗
- ·The exploit requires an authenticated session, but Redis default deployments grant the default user all required privileges (@admin, @scripting, @stream, @read/@write) without a password, effectively making authentication a non-barrier in most environments. ↗
- ·The official Redis Docker image ships with only partial RELRO, leaving the GOT writable at runtime; ASLR and PIE do not mitigate the exploit because the write is relative to a global with a fixed build-time offset. ↗
- ·Red Hat notes exploitation requires a highly specific sequence of time-dependent conditions not directly controlled by the attacker, increasing practical exploitation complexity beyond what CVSS scores alone suggest. ↗
- ·Wiz's analysis puts Redis in a large majority of cloud environments, with most instances running without a password, significantly widening the effective attack surface despite the authentication requirement. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Redis up to 8.6.2 Data Structure processCommandAndResetClient use after free (EUVD-2026-27396)
vuldb·2026-05-05·CVSS 7.7
CVE-2026-23479 [HIGH] Redis up to 8.6.2 Data Structure processCommandAndResetClient use after free (EUVD-2026-27396)
A vulnerability, which was classified as critical, has been found in Redis up to 8.6.2. Impacted is the function processCommandAndResetClient of the component Data Structure Handler. This manipulation causes use after free.
This vulnerability is handled as CVE-2026-23479. The attack can be initiated remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
Red Hat
redis: use-after-free in unblock client flow may allow remote code execution
vendor_redhat·2026-05-05·CVSS 7.7
CVE-2026-23479 [HIGH] CWE-416 redis: use-after-free in unblock client flow may allow remote code execution
redis: use-after-free in unblock client flow may allow remote code execution
A flaw was found in Redis. The unblock client flow does not handle an error return from the `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can cause a use-after-free issue. This potentially leads to arbitrary code execution.
Statement: To exploit this flaw, a highly specific sequence of events and time dependent conditions that are not directly in control of an attacker must occur, increasing the complexity of exploitation. Additionally, the attacker needs to be authenticated, limiting the exposure of this issue. To reflect these conditions, this vulnerability has been rated with an important severity.
Mitigation: Re
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
blogs_hackernews·2026-06-08·CVSS 8.4
CVE-2025-48595 [HIGH] ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More
Monday again. The weekend was meant to be quiet. It wasn't. Last week had poisoned packages, a broken AI helper, and a worm tearing through repos. The ugly part: basic tricks still worked.
A chatbot got fooled. A bot token got leaked inside the malware. The same old mistakes showed up again. And while everyone chased the loud stuff, quieter attackers sat in inboxes for months, reading mail and stealing it bit by bit.
Lots to cover. Grab coffee. Read up.
## ⚡ Threat of the Week
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain
Hackernews
Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)
blogs_hackernews·2026-06-03·CVSS 7.7
CVE-2026-23479 [HIGH] Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)
Tracked as CVE-2026-23479 , the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years. NVD rates it 8.8 under CVSS 3.1; Redis lists it as 7.7 under CVSS 4.0. It was reported by Team Xint Code, and a complete technical write-up is now public.
The cloud footprint makes this worse. Wiz's analysis, published with the exploit writeup, puts Redis in a large majority of cloud environments, with most of those instances running without a password. The exploit needs an authenticated session, but i
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [epel-all]
bugzilla·2026-05-15·CVSS 7.7
CVE-2026-23479 [HIGH] CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [epel-all]
CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
bugzilla·2026-05-15·CVSS 7.7
CVE-2026-23479 [HIGH] CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
CVE-2026-23479 valkey: use-after-free in unblock client flow may allow remote code execution [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-23479 redis: use-after-free in unblock client flow may allow remote code execution
bugzilla·2026-05-05·CVSS 7.7
CVE-2026-23479 [HIGH] CVE-2026-23479 redis: use-after-free in unblock client flow may allow remote code execution
CVE-2026-23479 redis: use-after-free in unblock client flow may allow remote code execution
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
https://github.com/redis/redis/releases/tag/8.6.3https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3https://access.redhat.com/errata/RHSA-2026:25216https://access.redhat.com/errata/RHSA-2026:25219https://access.redhat.com/errata/RHSA-2026:25925https://access.redhat.com/errata/RHSA-2026:26306https://access.redhat.com/errata/RHSA-2026:26540https://access.redhat.com/security/cve/CVE-2026-23479https://bugzilla.redhat.com/show_bug.cgi?id=2466780https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23479.json
2026-05-05
Published