0X Kato

**Name of the Vulnerable Software and Affected Versions** Valkey versions prior to 9.0.2 Valkey versions prior to 8.1.6 Valkey versions prior to 8.0.7 Valkey versions prior to 7.2.12 **Description** A malicious actor with access to the clusterbus port can send an invalid packet that may cause an out-of-bounds read, potentially resulting in a system crash. This occurs because the clusterbus packet processing code fails to validate whether a clusterbus ping extension packet is located within the buffer of the clusterbus packet before attempting to read it. **Recommendations** Update to version 9.0.2 Update to version 8.1.6 Update to version 8.0.7 Update to version 7.2.12 Do not expose the cluster bus connection directly to end users and protect the connection using network ACLs.