PT-2026-37093 · Redis · Redisbloom

Daniel Firer

Published

2026-05-05

Updated

2026-06-03

CVE-2026-25589

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions RedisBloom versions prior to 2.8.20

Description RedisBloom, a probabilistic data structures module for Redis, fails to properly validate serialized values processed via the 'RESTORE' command. An authenticated attacker with permissions to execute 'RESTORE' on a server where the module is loaded can provide a crafted serialized payload to trigger invalid memory access, which may result in remote code execution.

Recommendations Update to version 2.8.20. Restrict access to the 'RESTORE' command using ACL rules as a temporary workaround.

Exploit

Fix

RCE

Heap Based Buffer Overflow

Use After Free

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20CWE-122CWE-416CWE-787CWE-190

Related Identifiers

BDU:2026-06444

BDU:2026-06448

BDU:2026-06449

BDU:2026-06450

BDU:2026-06451

BIT-KEYDB-2026-25589

BIT-REDIS-2026-25589

CVE-2026-25589

OPENSUSE-SU-2026:10711-1

Affected Products

Redisbloom

PT-2026-37093 · Redis · Redisbloom

CVE-2026-25589

Weakness Enumeration

Related Identifiers

Affected Products

References · 31