CVE-2026-27623
Received Received - Intake
Assertion Failure in Valkey Networking Causes Denial of Service

Publication date: 2026-02-23

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27623
EUVD
EUVD-2026-7509
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects valkey From 9.0.0 (inc) to 9.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27623 is a high-severity denial-of-service (DoS) vulnerability in the Valkey-server package versions 9.0.0 through 9.0.2. It occurs because the server does not properly reset its networking state after processing an empty request. A malicious actor with network access can send a specially crafted malformed request that causes the server to violate internal invariants, triggering an assertion failure and causing the server to abort unexpectedly.

This vulnerability requires no privileges or user interaction and has low complexity to exploit. It is fixed in version 9.0.3.

Impact Analysis

This vulnerability can cause the Valkey-server to unexpectedly shut down, resulting in a denial of service. This means that legitimate users will be unable to access the database while the server is down, potentially disrupting applications and services that rely on it.

Since the attack requires only network access and no privileges, it can be executed by any attacker who can reach the server, making it a significant availability risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unexpected server crashes or aborts in Valkey-server versions 9.0.0 through 9.0.2 when processing network requests.

Since the issue is triggered by malformed RESP (Redis Serialization Protocol) requests causing assertion failures, one way to detect attempts is to capture and analyze network traffic for unusual or malformed RESP requests targeting the Valkey-server.

Specific commands to detect this vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Valkey-server to version 9.0.3 or later, where this vulnerability is fixed.

Additionally, isolate Valkey deployments so that only trusted users have network access to the server, reducing the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27623. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart