CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-23479

CVE-2026-23479: Use-After-Free Vulnerability in Redis Blocking-Client Command Re-Execution

Alon Barad
Alon Barad
Software Engineer

Jun 4, 2026·7 min read·89 visits

Executive Summary (TL;DR)

A Use-After-Free vulnerability in Redis blocking-client flow allows authenticated attackers to execute arbitrary system commands via memory reclamation and GOT overwrite.

CVE-2026-23479 is a critical Use-After-Free (UAF) vulnerability inside the blocking-client code path of the Redis in-memory data structure server. In affected versions from 7.2.0 until 8.6.3, the unblock client flow fails to handle an error return from processCommandAndResetClient when re-executing a previously blocked command. If a blocked client is evicted due to maxmemory limits or client eviction policies during this command processing flow, its client structure is freed. Because the caller ignores the error return and continues processing, it attempts to read and write properties on the freed client structure, leading to a Use-After-Free condition.

Vulnerability Overview

The vulnerability CVE-2026-23479 resides within the blocking-client management implementation of the Redis in-memory data store (redis-server). In Redis, clients can perform blocking operations, such as waiting for list items via BLPOP or waiting on stream entries via XREAD. While blocked, the connection state is tracked by a dedicated client structure. When the blocking condition is satisfied, the client is queued for unblocking, transitioning its execution state.\n\nDuring this transition, if the client has a pending command associated with it, the unblocking routing must dispatch and execute the command. This is handled by a dedicated command execution path inside the core engine. However, the system's client eviction policy can trigger memory reclamation routines under memory pressure, freeing inactive or memory-heavy client structures. This dynamic introduces a critical lifetime management issue if the execution path does not track whether a client structure remains valid.\n\nThe vulnerability is classified under CWE-416 (Use After Free). If an active, blocked client structure is freed during the command execution phase, the subsequent logic continues to read and write to the freed structure's memory address. Under standard deployments, an authenticated attacker can leverage this condition to gain control of execution flow, resulting in unauthenticated execution of administrative or system-level commands.

Root Cause Analysis

The root cause of the vulnerability lies within the unblockClientOnKey() function in src/blocked.c. When a blocked client is unblocked, the function checks for the CLIENT_PENDING_COMMAND flag. If set, it updates the state flags to CLIENT_REEXECUTING_COMMAND and calls processCommandAndResetClient(c) to process the queued command.\n\nThe critical flaw is that unblockClientOnKey() ignores the return value of processCommandAndResetClient(c). This function is documented to return C_ERR if the client structure is destroyed or freed during the execution of the command. Because the return value is ignored, the execution flow continues under the assumption that the pointer c points to a valid client struct.\n\nIf the client is evicted during the execution of the command (for example, if the command processing causes memory allocations that exceed configured thresholds and trigger client eviction), the client memory is freed using zfree(). The freed memory is not cleared, and the pointer remains registered. The subsequent lines in unblockClientOnKey() perform flag evaluations such as !(c->flags & CLIENT_BLOCKED) and bitwise assignments like c->flags &= ~CLIENT_REEXECUTING_COMMAND. This results in both use-after-free read and write operations on the reclaimed or unmapped heap memory.

Code Analysis

To understand the structural failure, we analyze the vulnerable code path in src/blocked.c prior to the patch. The flow executes critical operations on the client pointer c after invoking processCommandAndResetClient(c) without any validation.\n\nc\n/* Vulnerable Code in src/blocked.c */\nstatic void unblockClientOnKey(client *c, robj *key) {\n ...\n if (c->flags & CLIENT_PENDING_COMMAND) {\n c->flags &= ~CLIENT_PENDING_COMMAND;\n c->flags |= CLIENT_REEXECUTING_COMMAND;\n ...\n /* processCommandAndResetClient can free client 'c' and return C_ERR */\n processCommandAndResetClient(c); \n \n /* UAF READ: Dereferencing c->flags on a potentially freed client */\n if (!(c->flags & CLIENT_BLOCKED)) {\n if (c->flags & CLIENT_MODULE) {\n moduleCallCommandUnblockedHandler(c);\n } else {\n /* Queues the freed pointer to server.unblocked_clients */\n queueClientForReprocessing(c);\n }\n }\n exitExecutionUnit();\n afterCommand(c);\n /* UAF WRITE: Modifying flags on a freed client */\n c->flags &= ~CLIENT_REEXECUTING_COMMAND; \n ...\n }\n}\n\n\nThe upstream patch introduces an explicit check on the return value of processCommandAndResetClient(c). If the return value is C_ERR, the function aborts further execution, ensuring no dereferences occur on the freed pointer.\n\nc\n/* Patched Code in src/blocked.c */\nstatic void unblockClientOnKey(client *c, robj *key) {\n ...\n if (c->flags & CLIENT_PENDING_COMMAND) {\n c->flags &= ~CLIENT_PENDING_COMMAND;\n c->flags |= CLIENT_REEXECUTING_COMMAND;\n ...\n /* The return value is now captured and checked */\n if (processCommandAndResetClient(c) == C_ERR) {\n /* Client was freed inside the call; abort immediately */\n return;\n }\n \n /* Safe dereference: client is guaranteed to be valid */\n if (!(c->flags & CLIENT_BLOCKED)) {\n if (c->flags & CLIENT_MODULE) {\n moduleCallCommandUnblockedHandler(c);\n } else {\n queueClientForReprocessing(c);\n }\n }\n exitExecutionUnit();\n afterCommand(c);\n c->flags &= ~CLIENT_REEXECUTING_COMMAND;\n ...\n }\n}\n

Exploitation Methodology

Exploitation of CVE-2026-23479 requires an authenticated connection with access to standard Redis commands and configurations. The attack payload involves a multi-stage process designed to bypass Address Space Layout Randomization (ASLR), trigger the Use-After-Free condition, reclaim the freed heap space, and redirect control flow.\n\nFirst, the attacker leaks a heap address using a Lua script conversion bypass. Running EVAL "return tostring(redis.call)" 0 returns the address of the internal handler. Because the offset between this handler and the main heap structures is constant, this leakage provides the precise location of the heap.\n\nSecond, the attacker establishes three distinct connections. Connection 1 configures the memory boundaries, Connection 2 creates a memory-intensive state by queueing massive command replies within a transaction and blocking on a stream, and Connection 3 triggers client eviction by lowering the limit and sending data to unblock Connection 2. This sequence forces unblockClientOnKey() to execute, evicting the victim client and queuing its freed pointer in the global server.unblocked_clients queue.\n\nThird, during the same event loop tick, the attacker reclaims the freed client allocation with a crafted SET command. When Redis processes the unblocked_clients queue, it reads the attacker's fake client structure. The fake client utilizes a controlled last_memory_type index and a controlled last_memory_usage decrement value to target the Global Offset Table (.got.plt), which is writable due to partial RELRO. This relative write decreases the GOT entry for strcasecmp until it points to system, allowing any subsequent commands to be executed directly in the host shell.

Impact Assessment

The security impact of CVE-2026-23479 is extremely high. Successful exploitation grants the attacker arbitrary remote code execution (RCE) with the privileges of the running Redis daemon. Since Redis is frequently run with administrative or container root privileges, this compromise can lead to complete host takeover.\n\nThe vulnerability is tracked with a CVSS 3.1 Base Score of 8.8 (High) and a CVSS 4.0 Base Score of 7.7 (High). The attack vector is Network (AV:N), complexity is Low to High depending on heap grooming precision (AC:L in NVD, AC:H in CVSS 4.0), privileges required are Low (PR:L), and no user interaction is required (UI:N). The scope remains Unchanged (S:U), while impact on confidentiality, integrity, and availability is High (C:H/I:H/A:H).\n\nmermaid\ngraph LR\n A["Attacker (Authenticated)"] -->|"1. Leak Heap via Lua"| B("Redis Server")\n A -->|"2. Trigger Eviction & UAF"| B\n A -->|"3. Reclaim Memory & Write GOT"| B\n B -->|"4. Hijack strcasecmp"| C["System Shell (RCE)"]\n\n\nBecause the vulnerability leads to a direct control-flow hijack, it acts as a significant vector for privilege escalation and lateral movement within internal networks where Redis instances are commonly deployed without deep perimeter defense.

Remediation and Mitigation

The definitive remediation for CVE-2026-23479 is to upgrade Redis to a patched version. Upstream maintenance teams have released fixes across all active release branches. Administrators should deploy the following versions:\n\n* Redis 7.2.x: Upgrade to 7.2.14 or higher\n* Redis 7.4.x: Upgrade to 7.4.9 or higher\n* Redis 8.2.x: Upgrade to 8.2.6 or higher\n* Redis 8.4.x: Upgrade to 8.4.3 or higher\n* Redis 8.6.x: Upgrade to 8.6.3 or higher\n\nIf patching cannot be performed immediately, temporary operational workarounds must be implemented. First, restrict administrative capabilities by disabling or renaming the CONFIG command using Redis Access Control Lists (ACLs). This prevents attackers from manipulating maxmemory-clients to trigger the eviction sequence.\n\nSecond, disable Lua scripting support entirely if not required, or limit the @scripting category to administrative users to prevent the heap address leakage. Finally, ensure that the Redis service is bound exclusively to localized interfaces or private networks, protecting the port from public exposure.

Official Patches

RedisOfficial patch commit

Fix Analysis (1)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Probability
0.10%
Top 72% most exploited

Affected Systems

Redis (redis-server) 7.2.xRedis (redis-server) 7.4.xRedis (redis-server) 8.2.xRedis (redis-server) 8.4.xRedis (redis-server) 8.6.x

Affected Versions Detail

Product
Affected Versions
Fixed Version
Redis
Redis
7.2.0 - 7.2.137.2.14
Redis
Redis
7.4.0 - 7.4.87.4.9
Redis
Redis
8.2.0 - 8.2.58.2.6
Redis
Redis
8.4.0 - 8.4.28.4.3
Redis
Redis
8.6.0 - 8.6.28.6.3
AttributeDetail
CWE IDCWE-416
Attack VectorNetwork
CVSS Score8.8 (High)
EPSS Score0.00103
Exploit Statuspoc
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1203Exploitation for Client Execution
Execution
T1068Exploitation for Privilege Escalation
Privilege Escalation
CWE-416
Use After Free

The product references memory after it has been freed, which can lead to a crash, unexpected behavior, or execution of arbitrary code.

Known Exploits & Detection

ZeroDay.cloudDetailed proof-of-concept write-up on the exploitation mechanics

Vulnerability Timeline

Vulnerability discovered at ZeroDay.Cloud 2025
2025-12-10
Upstream patches committed and CVE published
2026-05-05

References & Sources

  • [1]GitHub Security Advisory
  • [2]Redis Official Patch Commit
  • [3]Redis Version 8.6.3 Release Notes
  • [4]Wiz Threat Advisory Database Entry
  • [5]CVE.org Authority Record
  • [6]ZeroDay.Cloud Deep-Dive Analysis
  • [7]Debian CVE Tracker Page
  • [8]Xint Code Design Announcement

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
8 views•7 min read
•1 day ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•1 day ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
11 views•7 min read
•1 day ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
6 views•6 min read
•1 day ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•1 day ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read