Description
Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
Published: 2026-05-05
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated attacker who can run Lua scripts in redis-server can trigger a use‑after‑free during the master‑replica synchronization process on replicas where replica‑read‑only is not enforced. The vulnerability allows the attacker to execute arbitrary code on the replica host, resulting in remote code execution. The flaw is a classic use‑after‑free (CWE‑416) that undermines the integrity of replica memory. Its exploitation requires the attacker to have sufficient credentials to run scripts and to influence the synchronization flow.

Affected Systems

All redis‑server versions that include Lua support prior to version 8.6.3 run the vulnerable code. The issue manifests when replicas have replica‑read‑only disabled or can be disabled, allowing the use‑after‑free to be reached. Any deployment that uses replicas without the read‑only safeguard and permits authenticated Lua execution is affected.

Risk and Exploitability

The CVSS score is 6.1, indicating moderate severity. No EPSS data is available, and the vulnerability is not listed in CISA KEV. The exploit path requires authentication and Lua scripting ability, implying that the attacker must have at least internal or privileged access. Once the use‑after‑free is triggered via replication, the attacker can run arbitrary code on the replica, controlling that host.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade redis to version 8.6.3 or later, which contains the patch.
  • Disable Lua scripting or restrict it to trusted users when the server is in use.
  • Ensure replica‑read‑only is enabled on all replicas, or avoid using replicas where this setting can be disabled.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redis
Redis redis
Vendors & Products Redis
Redis redis

Tue, 05 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
Title redis-server Lua use-after-free may allow remote code execution
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Redis Redis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T16:39:32.337Z

Reserved: 2026-01-14T16:08:37.482Z

Link: CVE-2026-23631

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T17:17:03.503

Modified: 2026-05-05T19:38:32.193

Link: CVE-2026-23631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Weaknesses