CVE-2026-23479: RCE in Redis 7.2.0 - 8.6.3
Plattform
redis
Komponente
redis
Behoben in
8.6.3
CVE-2026-23479 affects Redis, an in-memory data structure store, impacting systems where the unblock client flow is improperly handled. This flaw allows an authenticated attacker to trigger a use-after-free condition, potentially leading to remote code execution. The vulnerability impacts Redis versions 7.2.0 through 8.6.2, and a patch is available in version 8.6.3.
Auswirkungen und Angriffsszenarien
An attacker who can authenticate to the Redis server can exploit this vulnerability to gain remote code execution. The attack involves manipulating the unblock client flow, specifically when a blocked client is evicted and then re-executed. This triggers a use-after-free condition, which can be leveraged to overwrite memory and execute arbitrary code. Successful exploitation could allow an attacker to compromise the entire Redis server, potentially leading to data theft, system takeover, or denial of service. The blast radius extends to any application or service relying on the compromised Redis instance.
Ausnutzungskontext
The vulnerability was published on 2026-05-05. Exploitation context is currently unknown, and no public proof-of-concept (POC) code has been released. The vulnerability's severity is pending evaluation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Bedrohungsanalyse
Exploit-Status
EPSS
0.10% (28% Perzentil)
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Veröffentlicht
- Geändert
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-23479 is to upgrade to Redis version 8.6.3 or later. If immediate upgrade is not possible, consider restricting access to the Redis server to only trusted clients. Implement network segmentation to limit the potential impact of a compromise. Monitor Redis logs for unusual activity related to client eviction and re-execution. While a direct WAF rule is unlikely, consider rules that restrict the execution of commands related to client management. After upgrade, confirm the fix by attempting to trigger the unblock client flow with a malicious payload and verifying that no errors or crashes occur.
So behebenwird übersetzt…
Actualice su servidor Redis a la versión 8.6.3 o posterior para mitigar la vulnerabilidad de uso después de liberar. Esta actualización corrige el manejo de errores en el flujo de desbloqueo de clientes, previniendo la posible ejecución remota de código.
Häufig gestellte Fragen
Was ist CVE-2026-23479 — Remote Code Execution (RCE) in Redis?
It's a Remote Code Execution (RCE) vulnerability in Redis versions 7.2.0 through 8.6.2, allowing authenticated attackers to trigger a use-after-free.
Bin ich von CVE-2026-23479 in Redis betroffen?
If you're running Redis versions 7.2.0 through 8.6.2, you are potentially affected. Upgrade to 8.6.3 or later immediately.
Wie behebe ich CVE-2026-23479 in Redis?
Upgrade to Redis version 8.6.3 or later. If that's not immediately possible, restrict access and monitor logs.
Wird CVE-2026-23479 aktiv ausgenutzt?
Currently, there are no public reports of active exploitation, but the vulnerability's potential impact warrants immediate attention.
Wo finde ich den offiziellen Redis-Hinweis für CVE-2026-23479?
Refer to the Redis security advisory and the NVD entry for CVE-2026-23479 for detailed information.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Jetzt testen — kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...