Description
Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks.

This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0.

Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Published: 2026-06-25
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow exists in the Lua bit.tohex() function used by Apache Kvrocks. The flaw allows a malformed input to overflow a stack buffer, potentially enabling an attacker to supply arbitrary code. This weakness is classified as CWE‑122 and can lead to compromise of the system running Kvrocks.

Affected Systems

Apache Kvrocks versions 2.0.4 through 2.15.0 are affected. Users should upgrade to version 2.16.0 to resolve the issue.

Risk and Exploitability

The CVSS score is 10, indicating critical severity. No EPSS score is currently available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely remote, as the flaw can be triggered by any entity that can execute Lua scripts within Kvrocks, such as network-connected clients. Given the high CVSS score and the ability to eschew existing security controls in environments where Lua scripts are enabled, the risk of exploitation remains significant.

Generated by OpenCVE AI on June 25, 2026 at 10:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Kvrocks 2.16.0 or later to eliminate the vulnerability
  • Limit or deny the ability for untrusted users to submit Lua scripts to the KV store
  • If Lua scripting is unnecessary for the application, disable Lua support entirely

Generated by OpenCVE AI on June 25, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
Title Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-25T12:21:28.528Z

Reserved: 2026-05-18T12:13:07.483Z

Link: CVE-2026-46752

cve-icon Vulnrichment

Updated: 2026-06-25T09:09:46.608Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:45:16Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow