CVE-2026-54341
Received Received - Intake
DragonflyDB Out-of-Bounds Read in RESTORE Command

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.0, a crafted RESTORE payload triggers an out-of-bounds read in DragonflyDB's listpack collection loaders, crashing the entire server process (SIGSEGV). Because DragonflyDB requires no authentication by default and RESTORE is a normal keyspace command, an unauthenticated remote attacker can crash the server with a single ~24-byte command β€” a remote, repeatable denial of service. This vulnerability is fixed in 1.39.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-54341
EUVD
EUVD-2026-39811
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dragonflydb dragonfly to 1.39.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54341 is a vulnerability in DragonflyDB where a specially crafted RESTORE command can cause the server to crash. This happens because the RESTORE operation only superficially checks the integrity of the payload, allowing an attacker to send a malformed listpack with an entry that declares an excessively large length but contains no actual data. When the server processes this entry, it reads beyond the allocated memory, causing a segmentation fault (SIGSEGV) and crashing the entire server process.

The attack is remote, unauthenticated, and repeatable, requiring only a single approximately 24-byte command to exploit. It affects all default configurations and all versions of DragonflyDB prior to 1.39.0. The vulnerability was fixed in version 1.39.0 by introducing deep integrity validation for RESTORE operations, which rejects malformed payloads instead of processing them.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to crash the DragonflyDB server by sending a single crafted RESTORE command. The impact is a remote, repeatable denial of service (DoS), causing the entire server process to terminate unexpectedly.

Because DragonflyDB requires no authentication by default and RESTORE is a normal keyspace command, any attacker with network access to the server can exploit this vulnerability without credentials. Additionally, the vulnerability can also crash replication replicas if the malicious payload is sent from a master, potentially disrupting replication and availability.

There are no operator-side mitigations other than upgrading to version 1.39.0 or later, which implements deep validation to prevent such crashes.

Mitigation Strategies

The vulnerability can be mitigated by upgrading DragonflyDB to version 1.39.0 or later.

The fix in version 1.39.0 introduces deep integrity validation for RESTORE operations, which prevents crashes by rejecting malformed payloads instead of processing them.

No operator-side mitigation exists other than upgrading, as the vulnerability allows unauthenticated remote attackers to crash the server with a single crafted RESTORE command.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart