Redis patches 5 RCE bugs at once — one hidden two years, PoC public
TL;DR
Redis patched five critical RCE bugs at once on May 5, affecting 7.2.0–8.6.2. CVE-2026-23479 had been hiding for two years. PoC chains are public. Upgrade immediately.
On May 5, Redis CISO Riaz Lakhani published an advisory patching five critical vulnerabilities, all RCE, affecting versions 7.2.0 through 8.6.2.
CVE-2026-23479 (CVSS 7.7): use-after-free in unblock client flow. When a blocked client is evicted and re-executes a command,
CVE-2026-25243 (CVSS 7.7): RESTORE command invalid memory access. Crafted serialized payload triggers arbitrary code execution via double-free and integer overflow paths.
CVE-2026-25588/25589: RESTORE combined with RedisTimeSeries and RedisBloom modules — heap buffer overflow + out-of-bounds write, hits any production environment using these modules.
CVE-2026-23631 «DarkReplica» (CVSS 6.1): post-auth, SLAVEOF makes the target instance a replica of an attacker-controlled master, then loads malicious function context from the RDB and redirects internal function pointers to libc to achieve RCE.
Redis is no-auth by default in many deployments, and frequently network-exposed. As a shared infrastructure component, a compromised Redis often equals a foothold in the whole app stack.
Fixed versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3. Upgrade immediately — no alternative.
via Redis Advisory
CVE-2026-23479 (CVSS 7.7): use-after-free in unblock client flow. When a blocked client is evicted and re-executes a command,
processCommandAndResetClient returns an error that isn't handled, causing the client pointer to be referenced after free. Team Xint Code's PoC: Lua script leaks heap pointer → manipulates client memory → overwrites a GOT function pointer → redirects to system() for RCE. Introduced in two commits in early 2023 — hidden over two years.CVE-2026-25243 (CVSS 7.7): RESTORE command invalid memory access. Crafted serialized payload triggers arbitrary code execution via double-free and integer overflow paths.
CVE-2026-25588/25589: RESTORE combined with RedisTimeSeries and RedisBloom modules — heap buffer overflow + out-of-bounds write, hits any production environment using these modules.
CVE-2026-23631 «DarkReplica» (CVSS 6.1): post-auth, SLAVEOF makes the target instance a replica of an attacker-controlled master, then loads malicious function context from the RDB and redirects internal function pointers to libc to achieve RCE.
Redis is no-auth by default in many deployments, and frequently network-exposed. As a shared infrastructure component, a compromised Redis often equals a foothold in the whole app stack.
Fixed versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3. Upgrade immediately — no alternative.
via Redis Advisory
