CVE-2026-21863
Modified Modified - Updated After Analysis

Out-of-Bounds Read in Valkey Clusterbus Causes Crash

Vulnerability report for CVE-2026-21863, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-23

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-23
Last Modified
2026-06-30
Generated
2026-07-06
AI Q&A
2026-02-23
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
lfprojects valkey to 7.2.12 (exc)
lfprojects valkey From 8.0.0 (inc) to 8.0.7 (exc)
lfprojects valkey From 8.1.0 (inc) to 8.1.6 (exc)
lfprojects valkey From 9.0.0 (inc) to 9.0.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-21863 is a vulnerability in the Valkey distributed key-value database server affecting versions up to 9.0.2. The issue occurs because the Valkey clusterbus packet processing code does not properly validate that a clusterbus ping extension packet is within the allocated buffer before reading it. This improper validation leads to an out-of-bounds read, which is a type of memory access error.

An attacker with access to the Valkey clusterbus port can send a malformed packet that triggers this out-of-bounds read, potentially causing the Valkey process to crash.

No special privileges or user interaction are required to exploit this vulnerability, and the attack complexity is low. The attacker must have network access to the clusterbus port but does not need remote internet access.

Impact Analysis

This vulnerability can cause a remote denial of service (DoS) by crashing the Valkey server process when a malformed clusterbus packet is received.

The impact is on the availability of the Valkey service, meaning legitimate users may experience service interruptions or downtime.

The vulnerability does not affect the confidentiality or integrity of data, but the loss of availability can disrupt operations that depend on the Valkey database.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring network traffic to the Valkey clusterbus port for malformed or invalid clusterbus packets, especially those containing clusterbus ping extension packets that may cause out-of-bounds reads.

Since the vulnerability involves sending malformed packets to the clusterbus port, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze traffic on the clusterbus port.

  • Use tcpdump to capture traffic on the clusterbus port (replace <port> with the actual port number): tcpdump -i <interface> port <port> -w capture.pcap
  • Analyze the captured packets with Wireshark to look for malformed clusterbus ping extension packets.

Additionally, monitor the Valkey server logs and system logs for crashes or abnormal terminations of the Valkey process, which may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading the Valkey server to a fixed version: 9.0.3, 8.1.6, 8.0.7, or 7.2.12 or later.

As an additional mitigation, do not expose the Valkey clusterbus port directly to end users.

Protect the clusterbus connection with dedicated network access control lists (ACLs) to restrict access only to trusted hosts or networks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21863. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart