Description
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
Published: 2026-02-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A malicious actor with network access to Valkey can trigger an assertion that causes the server to abort by sending a malformed RESP request before authentication. The server fails to reset its networking state after an empty request, leading to a condition where a specially crafted request is interpreted as violating server invariants and results in a shutdown. The primary impact is denial of service, preventing legitimate clients from accessing the database.

Affected Systems

Valkey, distributed key‑value database by valkey-io, is affected in versions 9.0.0 through 9.0.2, inclusive. The fix was applied in version 9.0.3.

Risk and Exploitability

The CVSS score of 7.5 indicates a high‑severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker only needs network connectivity to the Valkey instance; credentials are not required. By sending a malformed RESP request before establishing authentication, a remote adversary can repeatedly trigger the server to shut down, disrupting availability of the service.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Valkey to version 9.0.3 or later, which addresses the assertion trigger caused by malformed RESP requests.
  • Restrict network access to the Valkey server so that only trusted hosts can reach it, using firewalls or network segmentation.
  • If an upgrade cannot be performed immediately, monitor the server for unexpected restarts and consider temporarily disabling any exposed interfaces that handle RESP requests until a patch is applied.

Generated by OpenCVE AI on April 17, 2026 at 16:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects valkey
CPEs cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects valkey

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-617
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Valkey-io
Valkey-io valkey
Vendors & Products Valkey-io
Valkey-io valkey

Mon, 23 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Description Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
Title Valkey has Pre-Authentication DOS from malformed RESP request
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Lfprojects Valkey
Valkey-io Valkey
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T14:59:49.581Z

Reserved: 2026-02-20T22:02:30.027Z

Link: CVE-2026-27623

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T20:28:55.217

Modified: 2026-02-25T17:58:27.510

Link: CVE-2026-27623

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-23T19:43:45Z

Links: CVE-2026-27623 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:30:05Z

Weaknesses