Description
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Published: 2026-05-05
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Redis, as an in-memory data store, includes a RESTORE command that allows reloading serialized data structures. In versions prior to 8.6.3 the command does not fully validate the incoming serialized payload, which can cause an invalid memory access. The vulnerability is a classic memory corruption flaw corresponding to CWE‑122. Execution of a crafted payload has the potential to lead to arbitrary code execution in the context of the redis‑server process.

Affected Systems

The affected product is Redis running on the redis:redis platform. Versions up to and including 8.6.2 are impacted, and the fix was incorporated in the 8.6.3 release. Any deployment using an earlier release is therefore vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers must be authenticated and possess permission to invoke the RESTORE command, typically through ACL misconfiguration or because the command is not restricted. Once a crafted payload is processed, the memory corruption can yield remote code execution on the host running redis‑server.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Redis 8.6.3 or later to apply the official fix
  • If upgrading is not immediately possible, limit the RESTORE command to trusted users by configuring ACL rules
  • Avoid processing serialized payloads from untrusted sources and validate input before invoking RESTORE

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redis
Redis redis
Vendors & Products Redis
Redis redis

Tue, 05 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Title redis-server RESTORE invalid memory access may allow remote code execution
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Redis Redis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T13:24:39.678Z

Reserved: 2026-01-30T14:44:47.330Z

Link: CVE-2026-25243

cve-icon Vulnrichment

Updated: 2026-05-05T18:44:16.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T17:17:03.667

Modified: 2026-05-06T16:16:41.060

Link: CVE-2026-25243

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-05T16:44:57Z

Links: CVE-2026-25243 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Weaknesses