cbcvebase.
CVE-2026-25243
published 2026-05-05

CVE-2026-25243: Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.00%
85.7th percentile
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

Affected

5 ranges
VendorProductVersion rangeFixed in
boostboost
redisredis< 8.6.38.6.3
redisredis
redis_6redis
redis_7redis

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for use of the RESTORE command by non-administrative or untrusted authenticated users, which is the attack vector for this vulnerability.
  • Alert on Redis/Valkey RESTORE command execution from unexpected or low-privilege accounts; use ACL logs to detect unauthorized RESTORE usage.
  • Watch for redis-server or valkey-server process crashes (SIGSEGV/invalid memory access), which may indicate exploitation attempts via crafted RESTORE payloads.
  • ·Restrict the RESTORE command to highly trusted/administrative users via ACL rules as a workaround; unpatched instances up to version 8.6.3 are vulnerable.
  • ·Default RHEL mitigations (SELinux, ASLR, NX stack) reduce but do not eliminate RCE risk; do not rely solely on OS-level mitigations.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.