CVE-2026-27623
Received Received - Intake
Assertion Failure in Valkey Networking Causes Denial of Service

Publication date: 2026-02-23

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-25
Generated
2026-05-07
AI Q&A
2026-02-23
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27623
EUVD
EUVD-2026-7509
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lfprojects valkey From 9.0.0 (inc) to 9.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-27623 is a high-severity denial-of-service (DoS) vulnerability in the Valkey-server package versions 9.0.0 through 9.0.2. It occurs because the server does not properly reset its networking state after processing an empty request. A malicious actor with network access can send a specially crafted malformed request that causes the server to violate internal invariants, triggering an assertion failure and causing the server to abort unexpectedly.

This vulnerability requires no privileges or user interaction and has low complexity to exploit. It is fixed in version 9.0.3.


How can this vulnerability impact me? :

This vulnerability can cause the Valkey-server to unexpectedly shut down, resulting in a denial of service. This means that legitimate users will be unable to access the database while the server is down, potentially disrupting applications and services that rely on it.

Since the attack requires only network access and no privileges, it can be executed by any attacker who can reach the server, making it a significant availability risk.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unexpected server crashes or aborts in Valkey-server versions 9.0.0 through 9.0.2 when processing network requests.

Since the issue is triggered by malformed RESP (Redis Serialization Protocol) requests causing assertion failures, one way to detect attempts is to capture and analyze network traffic for unusual or malformed RESP requests targeting the Valkey-server.

Specific commands to detect this vulnerability are not provided in the available resources.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Valkey-server to version 9.0.3 or later, where this vulnerability is fixed.

Additionally, isolate Valkey deployments so that only trusted users have network access to the server, reducing the risk of exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart