Description
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
Published: 2026-02-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service through malformed RESTORE command
Action: Patch/Disable
AI Analysis

Impact

The Valkey‑Bloom module, a Rust implementation that adds Bloom Filter support to Valkey, contains a flaw that allows a specially crafted RESTORE command to trigger an assertion during RDB parsing. The assertion causes the server to shut down, delivering a denial‑of‑service. The issue occurs because the module failed to enable the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag, which would normally allow the module to handle parsing errors gracefully. This bug existed before the commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, which fixes the problem by setting the required flag.

Affected Systems

All builds of Valkey‑Bloom produced by Valkey‑IO that include the legacy RESTORE handling code are affected. Users running the module within a Valkey server, on any platform that exposes the RESTORE command and has not applied the patch or disabled the command, are at risk. The vulnerable product is necessarily Valkey‑Bloom, a Rust‑based module for the Valkey distributed key‑value database.

Risk and Exploitability

The CVSS base score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests a very low current likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, implying no publicly known supply‑chain attacks targeting it. An attacker who can send commands to the Valkey server can craft a malicious RESTORE payload that will cause the server to terminate, constituting a remote denial of service. The attack vector appears to be network‑based, though no public exploitation has been reported, making timely remediation prudent.

Generated by OpenCVE AI on April 17, 2026 at 16:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Valkey‑Bloom release that includes commit a68614b6e3845777d383b3a513cedcc08b3b7ccd or apply the patch manually.
  • If the RESTORE command is not required by your application, disable it in the Valkey configuration to prevent malicious payloads from reaching the vulnerable code.
  • Configure the module to set VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS so that parsing errors are handled without causing a fatal assertion.

Generated by OpenCVE AI on April 17, 2026 at 16:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects valkey-bloom
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:lfprojects:valkey-bloom:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects valkey-bloom

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Valkey-io
Valkey-io valkey-bloom
Vendors & Products Valkey-io
Valkey-io valkey-bloom

Tue, 24 Feb 2026 00:45:00 +0000

Type Values Removed Values Added
Description Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
Title Remote DoS from malformed RESTORE command
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lfprojects Valkey-bloom
Valkey-io Valkey-bloom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:38:37.387Z

Reserved: 2026-01-05T16:44:16.367Z

Link: CVE-2026-21864

cve-icon Vulnrichment

Updated: 2026-02-26T14:38:32.792Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T01:16:12.267

Modified: 2026-02-26T16:04:23.040

Link: CVE-2026-21864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses