CVE-2026-21863

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Valkey versions prior to 9.0.2 Valkey versions prior to 8.1.6 Valkey versions prior to 8.0.7 Valkey versions prior to 7.2.12

Description A malicious actor with access to the clusterbus port can send an invalid packet that may cause an out-of-bounds read, potentially resulting in a system crash. This occurs because the clusterbus packet processing code fails to validate whether a clusterbus ping extension packet is located within the buffer of the clusterbus packet before attempting to read it.

Recommendations Update to version 9.0.2 Update to version 8.1.6 Update to version 8.0.7 Update to version 7.2.12 Do not expose the cluster bus connection directly to end users and protect the connection using network ACLs.

Exploit

Fix

DoS

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

ALSA-2026:3443

ALSA-2026:3507

AZL-78320

BDU:2026-07339

BIT-VALKEY-2026-21863

CVE-2026-21863

GHSA-C677-Q3WR-GGGQ

OPENSUSE-SU-2026:10266-1

OPENSUSE-SU-2026:20776-1

RHSA-2026:3443

RHSA-2026:3507

RHSA-2026:5445

RHSA-2026:8753

SUSE-SU-2026:0685-1

SUSE-SU-2026:0848-1

SUSE-SU-2026:21814-1

USN-8106-1

Affected Products

Linuxmint

Red Os

Rocky Linux

Ubuntu

Valkey

CVE-2026-21863

Weakness Enumeration

Related Identifiers

Affected Products

References · 56