Description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Published: 2026-02-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A malformed message sent to the Valkey clusterbus can trigger an out of bounds read, potentially disrupting the server and causing a system crash. This vulnerability allows an attacker with access to the clusterbus port to send crafted packets that the server processes without proper bounds checking, leading to remote denial of service.

Affected Systems

The issue affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The vulnerable component is the clusterbus packet processing code in the distributed key‑value database developed by Valkey.io.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. The EPSS score is less than 1%, implying a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers who can reach the clusterbus port—either locally or over an exposed network—might send a malicious packet to induce a crash, though no public exploitation code is reported.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Valkey to at least 9.0.2, 8.1.6, 8.0.7, or 7.2.12, depending on your environment.
  • Reconfigure the clusterbus interface so it is not publicly exposed; restrict access to trusted peers only, using firewall or network ACLs.
  • Apply network ACLs or firewall rules to block unauthorized traffic to the clusterbus port, ensuring that only legitimate cluster nodes can communicate.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6198-1 valkey security update
Ubuntu USN Ubuntu USN USN-8106-1 Valkey vulnerabilities
History

Fri, 27 Feb 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects valkey
CPEs cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects valkey

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Valkey-io
Valkey-io valkey
Vendors & Products Valkey-io
Valkey-io valkey

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Title Malformed Valkey Cluster bus message can lead to Remote DoS
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lfprojects Valkey
Valkey-io Valkey
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T14:58:41.277Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21863

cve-icon Vulnrichment

Updated: 2026-02-25T14:58:34.933Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T20:28:53.853

Modified: 2026-02-25T17:49:51.250

Link: CVE-2026-21863

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-23T19:41:28Z

Links: CVE-2026-21863 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses