{"uuid": "5f4ddcc5-3a33-4a9e-a949-a2e945d8f276", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-93m2-935m-8rj3", "type": "seen", "source": "https://gist.github.com/alon710/99a19d019be27796ebd7628a70079b9c", "content": "# CVE-2026-23479: CVE-2026-23479: Use-After-Free Vulnerability in Redis Blocking-Client Command Re-Execution\n\n> **CVSS Score:** 8.8\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-23479\n\n## Summary\nCVE-2026-23479 is a critical Use-After-Free (UAF) vulnerability inside the blocking-client code path of the Redis in-memory data structure server. In affected versions from 7.2.0 until 8.6.3, the unblock client flow fails to handle an error return from processCommandAndResetClient when re-executing a previously blocked command. If a blocked client is evicted due to maxmemory limits or client eviction policies during this command processing flow, its client structure is freed. Because the caller ignores the error return and continues processing, it attempts to read and write properties on the freed client structure, leading to a Use-After-Free condition.\n\n## TL;DR\nA Use-After-Free vulnerability in Redis blocking-client flow allows authenticated attackers to execute arbitrary system commands via memory reclamation and GOT overwrite.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-416\n- **Attack Vector**: Network\n- **CVSS Score**: 8.8 (High)\n- **EPSS Score**: 0.00103\n- **Exploit Status**: poc\n- **CISA KEV Status**: Not Listed\n\n## Affected Systems\n\n- Redis (redis-server) 7.2.x\n- Redis (redis-server) 7.4.x\n- Redis (redis-server) 8.2.x\n- Redis (redis-server) 8.4.x\n- Redis (redis-server) 8.6.x\n- **Redis**: 7.2.0 - 7.2.13 (Fixed in: `7.2.14`)\n- **Redis**: 7.4.0 - 7.4.8 (Fixed in: `7.4.9`)\n- **Redis**: 8.2.0 - 8.2.5 (Fixed in: `8.2.6`)\n- **Redis**: 8.4.0 - 8.4.2 (Fixed in: `8.4.3`)\n- **Redis**: 8.6.0 - 8.6.2 (Fixed in: `8.6.3`)\n\n## Mitigation\n\n- Disable or restrict the CONFIG command to block dynamic maxmemory-clients manipulation.\n- Restrict Lua scripting access using Redis ACLs to prevent heap address leakage.\n- Bind Redis exclusively to localized loopback interfaces or secure private networks.\n\n**Remediation Steps:**\n1. Identify the currently deployed Redis version.\n2. Select the appropriate patched release path (e.g., 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3).\n3. Apply the update in a staging environment to verify functionality.\n4. Deploy the patched version to production and restart the redis-server process.\n\n## References\n\n- [GitHub Security Advisory](https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3)\n- [Redis Official Patch Commit](https://github.com/redis/redis/commit/c14e9925e571c3c8ecbeb8632fe834faa32175ea)\n- [Redis Version 8.6.3 Release Notes](https://github.com/redis/redis/releases/tag/8.6.3)\n- [Wiz Threat Advisory Database Entry](https://www.wiz.io/vulnerability-database/cve/cve-2026-23479)\n- [CVE.org Authority Record](https://www.cve.org/CVERecord?id=CVE-2026-23479)\n- [ZeroDay.Cloud Deep-Dive Analysis](https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive)\n- [Debian CVE Tracker Page](https://security-tracker.debian.org/tracker/CVE-2026-23479)\n- [Xint Code Design Announcement](https://theori.io/blog/announcing-xint-code)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-23479) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T07:10:55.000000Z"}