Skip to main content

Apache Kvrocks CVE-2026-46752

| EUVDEUVD-2026-39332 CRITICAL
Heap-based Buffer Overflow (CWE-122)
10.0
CVSS 4.0 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
10.0 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Exploitation needs EVAL/scripting access, which is typically authenticated in real deployments, so PR:L rather than PR:N; network vector and low complexity, memory corruption yields high C/I/A within the process (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 25, 2026 - 09:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 09:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 09:23 vuln.today
cvss_changed
CVSS changed
Jun 25, 2026 - 09:23 NVD
10.0 (CRITICAL)
Analysis Generated
Jun 25, 2026 - 04:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Memory corruption in Apache Kvrocks' embedded Lua scripting engine allows a client able to run EVAL/EVALSHA commands to trigger a stack buffer overflow in the bit.tohex() function, potentially crashing the server or corrupting process memory toward code execution. Kvrocks is a Redis-protocol-compatible distributed key-value store, and this flaw was disclosed via the oss-security mailing list on 2026-06-25 alongside three other Kvrocks issues. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Kvrocks listener port
Delivery
Open Redis-protocol session (auth if required)
Exploit
Submit EVAL with crafted bit.tohex() argument
Execution
Overflow stack buffer in Lua engine
Persist
Crash process or corrupt memory
Impact
Denial of service or potential code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to execute Lua scripts on the target via the EVAL/EVALSHA command path that reaches bit.tohex(); this is the concrete prerequisite, mirroring the sibling CVE-2026-46751 which is scoped to 'a user who can run EVAL.' What limits exploitation: in deployments where requirepass/authentication is configured, the attacker must first hold valid credentials with scripting permission, so the official PR:N (unauthenticated) rating only holds for instances left without a password or otherwise exposing EVAL to anonymous clients. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 4.0 score is 10.0 (AV:N/AC:L/AT:N/PR:N/UI:N with full High vulnerable- and subsequent-system impact), which treats the issue as remotely exploitable by an unauthenticated attacker with maximum impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Kvrocks port and execute scripts - for example via an exposed instance with no password, or a low-privileged application tenant - sends an EVAL command containing a crafted call to bit.tohex(). The malformed argument overflows the fixed-size buffer, crashing the Kvrocks process (denial of service) and potentially corrupting memory in a way that could be steered toward code execution. …
Remediation No vendor-released patch version is identified in the available data; the primary action is to upgrade to the fixed Apache Kvrocks release named in the official advisory at https://lists.apache.org/thread/11sr3bkkhkk0q01odgw6ddsj7fzo31pt (verify the exact patched version there before deploying). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache Kvrocks and audit network exposure to untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46752 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy