cbcvebase.
CVE-2026-23479
published 2026-05-05

CVE-2026-23479: Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from…

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.29%
66.5th percentile
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

Affected

6 ranges
VendorProductVersion rangeFixed in
boostboost
redisredis
redisredis
redisredis>= 7.2.0 < 8.6.38.6.3
redis_6redis
redis_7redis

Detection & IOCsextracted from sources · hover to see the quote

commandEVAL "return tostring(redis.call)" 0
pathsrc/blocked.c
  • Monitor for authenticated Redis sessions issuing EVAL with 'tostring(redis.call)' — this is Stage 1 of the exploit chain used to leak a heap pointer.
  • Detect exploit chain by watching for a single authenticated session combining CONFIG SET, EVAL, XREAD/XADD (stream commands), and SET/GET in close succession — this maps to the full three-stage RCE chain.
  • Alert on Redis instances where the GOT is writable at runtime (partial RELRO); the official Redis Docker image ships with this configuration, making the function-pointer overwrite step of the exploit trivially achievable.
  • The exploit overwrites strcasecmp() in the Global Offset Table to point to system(); any unexpected shell execution spawned from the Redis process (redis-server) should be treated as a strong post-exploitation indicator.
  • Flag Redis deployments running versions 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, or 8.6.0–8.6.2 as unpatched and at risk; patched versions are 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3.
  • Denying the @scripting ACL category kills the Stage 1 heap-address leak and breaks the full exploit chain, even though the underlying use-after-free in unblockClientOnKey() remains present.
  • The vulnerable code path is triggered via unblockClientOnKey() in src/blocked.c; process-level crash telemetry or heap-corruption signals originating from this function should be investigated as potential exploitation attempts.
  • ·The exploit requires an authenticated session, but Redis default deployments grant the default user all required privileges (@admin, @scripting, @stream, @read/@write) without a password, effectively making authentication a non-barrier in most environments.
  • ·The official Redis Docker image ships with only partial RELRO, leaving the GOT writable at runtime; ASLR and PIE do not mitigate the exploit because the write is relative to a global with a fixed build-time offset.
  • ·Red Hat notes exploitation requires a highly specific sequence of time-dependent conditions not directly controlled by the attacker, increasing practical exploitation complexity beyond what CVSS scores alone suggest.
  • ·Wiz's analysis puts Redis in a large majority of cloud environments, with most instances running without a password, significantly widening the effective attack surface despite the authentication requirement.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.