CVE-2026-23479

Name of the Vulnerable Software and Affected Versions redis-server versions 7.2.0 through 8.6.2

Description A use-after-free issue exists in the unblock client flow of the in-memory data structure store. The flaw occurs when the system fails to handle an error return from the processCommandAndResetClient() function during the re-execution of a blocked command. If a blocked client is evicted during this process, an authenticated attacker can trigger the use-after-free condition, potentially leading to remote code execution on the host machine. The exploit chain involves using a Lua script to leak a heap pointer, grooming client memory, and overwriting a function pointer in the Global Offset Table to redirect a string function to system(). This issue is particularly critical as Redis is used in approximately 75% of cloud environments, many of which operate without passwords, effectively granting the necessary permissions for exploitation.

Recommendations Update to version 7.2.14 for the 7.2.x branch. Update to version 7.4.9 for the 7.4.x branch. Update to version 8.2.6 for the 8.2.x branch. Update to version 8.4.3 for the 8.4.x branch. Update to version 8.6.3 for the 8.6.x branch. As a temporary mitigation, disable Lua scripting if it is not required to break the exploit chain. Restrict Redis access by keeping it off the public internet and placing it behind TLS. Tighten Access Control Lists (ACLs) to ensure no single role possesses both u/admin and u/scripting permissions simultaneously.