Vulnerability from bitnami_vulndb
Published
2026-02-26 08:53
Modified
2026-02-26 09:13
Summary
Malformed Valkey Cluster bus message can lead to Remote DoS
Details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "valkey",
        "purl": "pkg:bitnami/valkey"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.2.12"
            },
            {
              "introduced": "8.0.0"
            },
            {
              "fixed": "8.0.7"
            },
            {
              "introduced": "8.1.0"
            },
            {
              "fixed": "8.1.6"
            },
            {
              "introduced": "9.0.0"
            },
            {
              "fixed": "9.0.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21863"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:valkey-io:valkey:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
  },
  "details": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don\u0027t expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.",
  "id": "BIT-valkey-2026-21863",
  "modified": "2026-02-26T09:13:58.886Z",
  "published": "2026-02-26T08:53:20.799Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21863"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Malformed Valkey Cluster bus message can lead to Remote DoS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.