CVE-2026-23631
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Redis via Lua Scripting Use-After-Free

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23631
EUVD
EUVD-2026-27398
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redis redis to 8.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-23631 affects compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability immediately, you should prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled.

Additionally, upgrading to Redis version 8.6.3 or later, where this issue is patched, is recommended.

Executive Summary

This vulnerability exists in redis-server versions that support Lua scripting. An authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free condition on replicas where the replica-read-only setting is disabled or can be disabled. This flaw may lead to remote code execution on the affected replicas.

A use-after-free vulnerability occurs when a program continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code.

The issue is patched in redis-server version 8.6.3, and a workaround involves preventing users from executing Lua scripts or avoiding the use of replicas with replica-read-only disabled.

Impact Analysis

If exploited, this vulnerability can allow an authenticated attacker to execute arbitrary code remotely on the affected Redis replicas.

This could lead to unauthorized control over the Redis server, potentially compromising data integrity, availability, and confidentiality.

Systems using replicas with replica-read-only disabled are particularly at risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart