CVE-2026-21864
Received Received - Intake
Assertion Failure in Valkey-Bloom Module via Crafted RESTORE Command

Publication date: 2026-02-24

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21864
EUVD
EUVD-2026-7461
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects valkey-bloom to 1.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21864 is a vulnerability in the valkey-bloom module, a Rust-based component of the Valkey distributed key-value database. The issue occurs because the module did not set a required flag (VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS) that handles errors during Redis Database (RDB) parsing. Without this flag, a specially crafted RESTORE command with invalid data can cause an assertion failure, which forces the Valkey server to shut down unexpectedly.

Although the valkey-bloom module correctly processes invalid RDB data, the missing flag means that parsing errors lead to a system assertion failure and server shutdown. This vulnerability was fixed by setting the appropriate flag to handle IO errors properly during the RESTORE command.

Impact Analysis

This vulnerability can cause a remote denial-of-service (DoS) condition. An attacker can send a specially crafted RESTORE command over the network that triggers an assertion failure in the Valkey server, causing it to shut down unexpectedly.

The impact is availability-related, meaning the server becomes unavailable due to the forced shutdown. There is no impact on confidentiality or integrity, but the service disruption can affect applications relying on the Valkey database.

Mitigation includes disabling the RESTORE command if it is not used by the application, which prevents exploitation of this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to execute a specially crafted RESTORE command with invalid or corrupted dump data against the valkey-bloom module.

A test approach involves sending a RESTORE command with invalid binary data and observing if the server shuts down or throws an assertion error.

  • Use a Redis client to issue a RESTORE command with deliberately malformed data.
  • Example command (conceptual): RESTORE <key> 0 <invalid_dump_data>

If the server crashes or shuts down upon this command, it indicates the vulnerability is present.

Mitigation Strategies

To mitigate this vulnerability, immediately disable the RESTORE command if it is not used by your application.

Ensure that your valkey-bloom module is updated to version 1.0.1 or later, which includes the patch that sets the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag to properly handle IO errors during RDB parsing.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart