{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21864", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.367Z", "datePublished": "2026-02-24T00:24:15.677Z", "dateUpdated": "2026-02-26T14:38:37.387Z"}, "containers": {"cna": {"title": "Remote DoS from malformed RESTORE command", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2"}, {"name": "https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd", "tags": ["x_refsource_MISC"], "url": "https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd"}], "affected": [{"vendor": "valkey-io", "product": "valkey-bloom", "versions": [{"version": "< a68614b6e3845777d383b3a513cedcc08b3b7ccd", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:24:15.677Z"}, "descriptions": [{"lang": "en", "value": "Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application."}], "source": {"advisory": "GHSA-mc2g-h759-3qw2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T14:37:52.971674Z", "id": "CVE-2026-21864", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:38:37.387Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21864", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T14:37:52.971674Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:38:32.792Z"}}], "cna": {"title": "Remote DoS from malformed RESTORE command", "source": {"advisory": "GHSA-mc2g-h759-3qw2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "valkey-io", "product": "valkey-bloom", "versions": [{"status": "affected", "version": "< a68614b6e3845777d383b3a513cedcc08b3b7ccd"}]}], "references": [{"url": "https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2", "name": "https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd", "name": "https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T00:24:15.677Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21864", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:38:37.387Z", "dateReserved": "2026-01-05T16:44:16.367Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T00:24:15.677Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:valkey-bloom:*:*:*:*:*:*:*:*", "matchCriteriaId": "04953F63-D070-4E0C-B28E-4650EBAEF756", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application."}, {"lang": "es", "value": "Valkey-Bloom es un m\u00f3dulo de Valkey basado en Rust que introduce un tipo de datos Bloom Filter (M\u00f3dulo) en la base de datos distribuida clave-valor de Valkey. Antes del commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, un comando 'RESTORE' especialmente dise\u00f1ado puede hacer que Valkey encuentre una aserci\u00f3n, lo que provoca el apagado del servidor. Los m\u00f3dulos de Valkey deben manejar los errores en el an\u00e1lisis RDB utilizando la bandera 'VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS'. Si esta bandera no est\u00e1 configurada, los errores encontrados durante el an\u00e1lisis resultan en una aserci\u00f3n del sistema que apaga el sistema. Aunque el m\u00f3dulo Valkey-bloom manej\u00f3 correctamente el an\u00e1lisis, originalmente no configur\u00f3 la bandera. El commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contiene un parche. Se puede mitigar este defecto deshabilitando el comando 'RESTORE' si no es utilizado por la aplicaci\u00f3n."}], "id": "CVE-2026-21864", "lastModified": "2026-02-26T16:04:23.040", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-24T01:16:12.267", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,a68614b6e3845777d383b3a513cedcc08b3b7ccd)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "valkey-bloom", "source": "cna", "vendor": "valkey-io"}, "product": "valkey-bloom", "vendor": "valkey-io"}], "created": "2026-02-24T09:54:22.031686+00:00", "updated": "2026-02-24T09:54:22.031762+00:00", "vendors": ["valkey-io", "valkey-io$PRODUCT$valkey-bloom"]}