CVE-2026-23479
Use-After-Free in Redis Server via Blocked Command Re-execution
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redis | redis | From 7.2.0 (inc) to 8.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23479 is a use-after-free vulnerability in Redis versions from 7.2.0 up to 8.6.3. It occurs in the unblock client flow when a blocked client is evicted while re-executing a blocked command. The issue arises because the code does not properly handle an error return from the function processCommandAndResetClient. This flaw allows an authenticated attacker to trigger a use-after-free condition, which may lead to remote code execution.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing an attacker to execute arbitrary code remotely on the affected Redis server. It poses high risks to the confidentiality, integrity, and availability of the system. Because it can be exploited by an authenticated user with low privileges and does not require user interaction, it increases the attack surface significantly. Successful exploitation could lead to full system compromise.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Redis to version 8.6.3 or later, where the use-after-free issue in the unblock client flow has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-23479 is a high-severity vulnerability that can lead to remote code execution, impacting the confidentiality, integrity, and availability of systems running affected Redis versions.
Such impacts on system security could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and system integrity.
However, the provided information does not explicitly describe how this vulnerability directly affects compliance with these or other common standards and regulations.