CVE-2026-21864
Assertion Failure in Valkey-Bloom Module via Crafted RESTORE Command
Publication date: 2026-02-24
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lfprojects | valkey-bloom | to 1.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21864 is a vulnerability in the valkey-bloom module, a Rust-based component of the Valkey distributed key-value database. The issue occurs because the module did not set a required flag (VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS) that handles errors during Redis Database (RDB) parsing. Without this flag, a specially crafted RESTORE command with invalid data can cause an assertion failure, which forces the Valkey server to shut down unexpectedly.
Although the valkey-bloom module correctly processes invalid RDB data, the missing flag means that parsing errors lead to a system assertion failure and server shutdown. This vulnerability was fixed by setting the appropriate flag to handle IO errors properly during the RESTORE command.
How can this vulnerability impact me? :
This vulnerability can cause a remote denial-of-service (DoS) condition. An attacker can send a specially crafted RESTORE command over the network that triggers an assertion failure in the Valkey server, causing it to shut down unexpectedly.
The impact is availability-related, meaning the server becomes unavailable due to the forced shutdown. There is no impact on confidentiality or integrity, but the service disruption can affect applications relying on the Valkey database.
Mitigation includes disabling the RESTORE command if it is not used by the application, which prevents exploitation of this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to execute a specially crafted RESTORE command with invalid or corrupted dump data against the valkey-bloom module.
A test approach involves sending a RESTORE command with invalid binary data and observing if the server shuts down or throws an assertion error.
- Use a Redis client to issue a RESTORE command with deliberately malformed data.
- Example command (conceptual): RESTORE <key> 0 <invalid_dump_data>
If the server crashes or shuts down upon this command, it indicates the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately disable the RESTORE command if it is not used by your application.
Ensure that your valkey-bloom module is updated to version 1.0.1 or later, which includes the patch that sets the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag to properly handle IO errors during RDB parsing.