Description
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.0, a crafted RESTORE payload triggers an out-of-bounds read in DragonflyDB's listpack collection loaders, crashing the entire server process (SIGSEGV). Because DragonflyDB requires no authentication by default and RESTORE is a normal keyspace command, an unauthenticated remote attacker can crash the server with a single ~24-byte command — a remote, repeatable denial of service. This vulnerability is fixed in 1.39.0.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DragonflyDB’s RESTORE command can be abused with a crafted payload that triggers an out‑of‑bounds read in the listpack loader, causing an immediate segmentation fault and crashing the entire server process. The resulting denial of service is repeatable with a single around 24‑byte command and is classified as a buffer over-read issue (CWE‑125).

Affected Systems

All DragonflyDB Dragonfly instances running a version older than 1.39.0, especially those with the default configuration that allows unauthenticated connections and exposes the RESTORE command, are susceptible to this crash. Any client that can send commands over the network could trigger the exploit.

Risk and Exploitability

The CVSS score of 7.5 highlights the high severity of this flaw. EPSS data is unavailable, leaving the precise exploitation probability uncertain, but the lack of authentication and the minute effort required to form the trigger make a remote attack feasible. The vulnerability is not currently listed in the CISA KEV catalog; however, it remains a dependable remote denial‑of‑service vector that can be delivered without further privilege escalation.

Generated by OpenCVE AI on June 26, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the DragonflyDB deployment to version 1.39.0 or later.
  • Restrict network access to the Dragonfly instance and enable authentication so that only authorized clients can issue commands.
  • If the RESTORE operation is not required, disable or block it in the server configuration to remove the attack surface.

Generated by OpenCVE AI on June 26, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Dragonflydb
Dragonflydb dragonfly
Vendors & Products Dragonflydb
Dragonflydb dragonfly

Fri, 26 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.0, a crafted RESTORE payload triggers an out-of-bounds read in DragonflyDB's listpack collection loaders, crashing the entire server process (SIGSEGV). Because DragonflyDB requires no authentication by default and RESTORE is a normal keyspace command, an unauthenticated remote attacker can crash the server with a single ~24-byte command — a remote, repeatable denial of service. This vulnerability is fixed in 1.39.0.
Title Dragonfly: RESTORE operations may crash the server
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dragonflydb Dragonfly
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:32:22.364Z

Reserved: 2026-06-12T19:23:22.317Z

Link: CVE-2026-54341

cve-icon Vulnrichment

Updated: 2026-06-26T18:32:18.243Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T22:45:05Z

Weaknesses