Description
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Published: 2026-05-05
Score: 7.7 High
EPSS: 3.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Redis includes a RESTORE command that ingests serialized data structures. In versions prior to 8.6.3, the command does not properly validate the input, allowing a crafted payload to trigger an invalid memory access. This memory corruption can lead to arbitrary code execution in the context of the redis‑server process. The flaw corresponds to CWE‑122.

Affected Systems

The vulnerability affects Redis versions released before 8.6.3. Any deployment running a Redis server earlier than the 8.6.3 release, regardless of operating system or environment, is susceptible.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity. The EPSS score of 3% reflects a modest likelihood of exploitation when it exists. The vulnerability is not listed in CISA KEV. An attacker must be authenticated and granted permission to use the RESTORE command—typically achieved through weak or missing ACL rules. Once a malicious payload is processed, an authenticated attacker could gain remote code execution on the host running redis‑server.

Generated by OpenCVE AI on June 30, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Redis 8.6.3 or later to apply the official fix
  • If an upgrade is not immediately possible, configure ACL rules to restrict the RESTORE command to trusted users only
  • Avoid processing serialized payloads from untrusted sources by disabling or restricting access to the RESTORE command

Generated by OpenCVE AI on June 30, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4682-1 redis security update
History

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Wed, 06 May 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redis
Redis redis
Vendors & Products Redis
Redis redis

Tue, 05 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Title redis-server RESTORE invalid memory access may allow remote code execution
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-16T12:04:33.393Z

Reserved: 2026-01-30T14:44:47.330Z

Link: CVE-2026-25243

cve-icon Vulnrichment

Updated: 2026-07-15T01:16:30.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T17:17:03.667

Modified: 2026-06-17T10:24:22.107

Link: CVE-2026-25243

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-05T16:44:57Z

Links: CVE-2026-25243 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T16:30:16Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow