Description
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
Published: 2026-05-05
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a use‑after‑free (CWE-416) in the unblock client flow. When a blocked client is evicted, the server invokes processCommandAndResetClient again and ignores an error return. This allows an attacker who can authenticate to the server to corrupt memory and execute arbitrary code.

Affected Systems

Redis server builds from version 7.2.0 up to, but not including, 8.6.3 are vulnerable. The affected product is redis:redis, with all releases between 7.2.0 and 8.6.3 inclusive.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, and the EPSS score is not available, so the likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to authenticate and target a blocked client that is evicted; the exploit path can be triggered through normal client commands.

Generated by OpenCVE AI on May 5, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Redis 8.6.3 or later to contain the fix.
  • If upgrading immediately is not feasible, avoid evicting blocked clients while authenticated clients may be present.
  • Regularly monitor authenticated sessions and limit client privileges to reduce the attack surface.

Generated by OpenCVE AI on May 5, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Redis
Redis redis
Vendors & Products Redis
Redis redis

Tue, 05 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
Title redis-server use-after-free in unblock client flow may allow remote code execution
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Redis Redis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T03:56:08.169Z

Reserved: 2026-01-13T15:47:41.627Z

Link: CVE-2026-23479

cve-icon Vulnrichment

Updated: 2026-05-05T17:13:12.197Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T17:17:02.577

Modified: 2026-05-05T19:38:32.193

Link: CVE-2026-23479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T20:00:12Z

Weaknesses