CVE-2026-27623 — Improper Input Validation in Valkey

CWE-20 — Improper Input Validation CWE-617 — Reachable Assertion6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 64.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lfprojects Valkey Valkey-io Valkey Debian Valkey +1 more

Timeline

PublishedFeb 23

Description

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Ver…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶NVDlfprojects/valkey9.0.0 — 9.0.3

▶Alpinelfprojects/valkey< 9.0.3-r0

▶debiandebian/valkey

▶CVEListV5valkey-io/valkey>= 9.0.0, < 9.0.3

▶msrcmsrc/azl3_valkey_8.0.7-1_on_azure_linux_3.0

🔴Vulnerability Details

OSV

CVE-2026-27623: Valkey is a distributed key-value database↗2026-02-23

▶

📋Vendor Advisories

Red Hat

Valkey: Valkey: Denial of Service via specially crafted network requests↗2026-02-23

▶

Microsoft

Valkey has Pre-Authentication DOS from malformed RESP request↗2026-02-10

▶

Debian

CVE-2026-27623: valkey - Valkey is a distributed key-value database. Starting in version 9.0.0 and prior ...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-27623 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶