Skip to main content

Valkey

4 CVEs product

Monthly

CVE-2026-27623 HIGH PATCH This Week

Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiting improper networking state handling after empty requests. An attacker can trigger an assertion failure that causes the Valkey process to abort, impacting availability for all users. No patch is currently available; network isolation is recommended as a mitigation.

Valkey Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21863 HIGH PATCH This Week

Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.

Valkey Information Disclosure Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-67733 HIGH PATCH This Week

Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.

RCE Valkey
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-21605 HIGH PATCH This Week

Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Denial Of Service Valkey Debian Linux Red Hat +1
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Valkey 9.0.0 through 9.0.2 allows unauthenticated network attackers to crash the server by exploiting improper networking state handling after empty requests. An attacker can trigger an assertion failure that causes the Valkey process to abort, impacting availability for all users. No patch is currently available; network isolation is recommended as a mitigation.

Valkey Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds read in Valkey clusterbus port processing allows network-adjacent attackers to crash affected systems by sending specially crafted packets that bypass buffer validation checks. This vulnerability affects Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, impacting any deployment exposing the clusterbus port to untrusted networks. Patches are available and administrators should restrict clusterbus access with network ACLs as an immediate mitigation.

Valkey Information Disclosure Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Response-stream injection in Valkey (the Redis fork) lets an authenticated user abuse Lua scripting commands to smuggle arbitrary bytes into the reply stream, corrupting or tampering with data returned to other users sharing the same connection. The flaw stems from the Lua script error-handling path mishandling null characters. It affects all releases prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. No public exploit identified at time of analysis; EPSS exploitation probability is negligible (0.02%, 4th percentile) and the issue is not in CISA KEV.

RCE Valkey
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Redis is an open source, in-memory database that persists on disk. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Denial Of Service Valkey +3
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy