Valkey
CVE-2026-21863
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
AnalysisAI
Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.
Technical ContextAI
Classified as CWE-125 (Out-of-bounds Read). Affects Valkey. Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is
Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiti
Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Server Applications 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| private-registry/harbor-valkey suse/valkey | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today