CVE-2026-23479

Name of the Vulnerable Software and Affected Versions redis-server versions 7.2.0 through 8.6.3

Description An authenticated attacker can trigger a use-after-free condition in the unblock client flow when a blocked client is evicted. This occurs because the system does not properly handle an error return from the processCommandAndResetClient() function when re-executing a blocked command. Exploitation of this flaw can lead to remote code execution, allowing the attacker to execute arbitrary OS commands on the host machine. The issue is particularly critical in cloud environments where Redis instances may be deployed without passwords, as the default user often possesses the necessary privileges to facilitate the attack. The exploitation chain involves leaking a heap pointer via a Lua script, grooming client memory, and overwriting a function pointer in the Global Offset Table to redirect execution to system().

Recommendations Update redis-server to version 8.6.3 or the corresponding patched version for your branch: 7.2.14, 7.4.9, 8.2.6, or 8.4.3. Restrict Redis access to trusted networks and avoid exposing it directly to the internet. Enforce strong authentication and least privilege access controls. Disable Lua scripting if it is not required for your operations. Tighten Access Control Lists (ACLs) to ensure no single role possesses both u/admin and u/scripting permissions simultaneously.