Skip to main content
Security News Jun 25, 2026 by vuln.today Threat Intelligence

Critical Stack Buffer Overflow in Apache Kvrocks Lua Engine - CVE-2026-46752

Related CVEs

Other CVEs in Same Group

CVE-2026-41566 CRITICAL 9.4

Privilege bypass in Apache Kvrocks exposes the internal APPLYBATCH command without proper permission enforcement, letting an authenticated low-privilege client write raw batches directly to the underlying RocksDB storage engine and bypass the server's command ACL model. The flaw (CWE-280, improper handling of permissions) carries a CVSS 4.0 base of 9.4 due to high integrity and availability impact and an irrecoverable-damage recovery rating. No public exploit identified at time of analysis, and it is not listed in CISA KEV; it was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two sibling Kvrocks CVEs.

CVE-2026-54226 MEDIUM 6.4

Remote denial-of-service in Apache Kvrocks via an integer overflow in the RESTORE command's IntSet deserialization path. An attacker who can send commands to a Kvrocks instance can supply a crafted RDB-serialized IntSet payload to the RESTORE command, triggering an integer overflow that crashes the server process. This vulnerability was disclosed pre-NVD via the oss-security mailing list on 2026-06-25 alongside two other Kvrocks CVEs (CVE-2026-46751, CVE-2026-46752), suggesting a coordinated security audit of the project; no public exploit code or CISA KEV listing has been identified at time of analysis.

CVE-2026-46751 MEDIUM 5.5

Lua sandbox escape in Apache Kvrocks exposes the host environment to authenticated users who hold EVAL command privileges. The database fails to strip the `loadstring` function from its Lua scripting environment, which is a standard hardening step in Redis-protocol-compatible systems; retaining it allows a sandboxed Lua script to load and execute arbitrary Lua bytecode dynamically, effectively escaping the intended script isolation. No public exploit code or CISA KEV listing exists at time of analysis; however, sandbox escapes of this class are well-understood and exploitable by any user granted EVAL access.

CVE-2026-45188 LOW 2.4

Replication Fullsync in Apache Kvrocks fails to validate filenames transmitted from a master node to a replica during full synchronization, enabling path traversal to arbitrary filesystem locations. Deployments using Kvrocks master-replica replication are affected; standalone instances with no replication configured are not exposed. An attacker who controls or can impersonate a master node can cause a replica to read or write files outside its intended data directory - no public exploit has been identified and this CVE is not listed in the CISA KEV catalog at time of analysis.

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy