CVE-2021-32762

Name of the Vulnerable Software and Affected Versions Redis versions prior to 5.0.14 Redis versions prior to 6.0.16 Redis versions prior to 6.2.6

Description The issue is related to an integer overflow vulnerability in the hiredis library used by Redis, which can occur when parsing specially crafted large multi-bulk network replies. This vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. The problem is a result of the hiredis library not performing an overflow check before calling the calloc() heap allocation function. Most modern systems are not likely to be affected as they have heap allocators that perform their own overflow checks. Additionally, redis-sentinel uses the jemalloc allocator by default, which is also not vulnerable.

Recommendations For Redis versions prior to 5.0.14, update to version 5.0.14 or later. For Redis versions prior to 6.0.16, update to version 6.0.16 or later. For Redis versions prior to 6.2.6, update to version 6.2.6 or later.