CVE-2026-21863
Out-of-Bounds Read in Valkey Clusterbus Causes Crash
Publication date: 2026-02-23
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfprojects | valkey | to 7.2.12 (exc) |
| lfprojects | valkey | From 8.0.0 (inc) to 8.0.7 (exc) |
| lfprojects | valkey | From 8.1.0 (inc) to 8.1.6 (exc) |
| lfprojects | valkey | From 9.0.0 (inc) to 9.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21863 is a vulnerability in the Valkey distributed key-value database server affecting versions up to 9.0.2. The issue occurs because the Valkey clusterbus packet processing code does not properly validate that a clusterbus ping extension packet is within the allocated buffer before reading it. This improper validation leads to an out-of-bounds read, which is a type of memory access error.
An attacker with access to the Valkey clusterbus port can send a malformed packet that triggers this out-of-bounds read, potentially causing the Valkey process to crash.
No special privileges or user interaction are required to exploit this vulnerability, and the attack complexity is low. The attacker must have network access to the clusterbus port but does not need remote internet access.
How can this vulnerability impact me? :
This vulnerability can cause a remote denial of service (DoS) by crashing the Valkey server process when a malformed clusterbus packet is received.
The impact is on the availability of the Valkey service, meaning legitimate users may experience service interruptions or downtime.
The vulnerability does not affect the confidentiality or integrity of data, but the loss of availability can disrupt operations that depend on the Valkey database.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic to the Valkey clusterbus port for malformed or invalid clusterbus packets, especially those containing clusterbus ping extension packets that may cause out-of-bounds reads.
Since the vulnerability involves sending malformed packets to the clusterbus port, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze traffic on the clusterbus port.
- Use tcpdump to capture traffic on the clusterbus port (replace <port> with the actual port number): tcpdump -i <interface> port <port> -w capture.pcap
- Analyze the captured packets with Wireshark to look for malformed clusterbus ping extension packets.
Additionally, monitor the Valkey server logs and system logs for crashes or abnormal terminations of the Valkey process, which may indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Valkey server to a fixed version: 9.0.3, 8.1.6, 8.0.7, or 7.2.12 or later.
As an additional mitigation, do not expose the Valkey clusterbus port directly to end users.
Protect the clusterbus connection with dedicated network access control lists (ACLs) to restrict access only to trusted hosts or networks.