Description
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Published: 2026-05-05
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Redis, as an in-memory data store, includes a RESTORE command that allows reloading serialized data structures. In versions prior to 8.6.3 the command does not fully validate the incoming serialized payload, which can cause an invalid memory access. The vulnerability is a classic memory corruption flaw corresponding to CWE‑122. Execution of a crafted payload has the potential to lead to arbitrary code execution in the context of the redis‑server process.

Affected Systems

The affected product is Redis running on the redis:redis platform. Versions up to and including 8.6.2 are impacted, and the fix was incorporated in the 8.6.3 release. Any deployment using an earlier release is therefore vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Attackers must be authenticated and possess permission to invoke the RESTORE command, typically through ACL misconfiguration or because the command is not restricted. Once a crafted payload is processed, the memory corruption can yield remote code execution on the host running redis‑server.

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Redis 8.6.3 or later to apply the official fix
  • If upgrading is not immediately possible, limit the RESTORE command to trusted users by configuring ACL rules
  • Avoid processing serialized payloads from untrusted sources and validate input before invoking RESTORE

Generated by OpenCVE AI on May 5, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Redis
Redis redis
Vendors & Products Redis
Redis redis

Tue, 05 May 2026 17:15:00 +0000

Type Values Removed Values Added
Description Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
Title redis-server RESTORE invalid memory access may allow remote code execution
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Redis Redis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T03:56:10.498Z

Reserved: 2026-01-30T14:44:47.330Z

Link: CVE-2026-25243

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-05T17:17:03.667

Modified: 2026-05-05T19:38:32.193

Link: CVE-2026-25243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Weaknesses