PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-23631 redis CVE debrief

CVE-2026-23631 is a use-after-free vulnerability in Redis, an in-memory data structure store. An authenticated attacker can exploit the master-replica synchronization mechanism to trigger this vulnerability on replicas where replica-read-only is disabled or can be disabled, potentially leading to remote code execution. The vulnerability is patched in Redis version 8.6.3. As a workaround, users can prevent executing Lua scripts or avoid using replicas where replica-read-only is disabled. This vulnerability has a CVSS score of 6.1 and is classified as MEDIUM severity.

Vendor
redis
Product
Unknown
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-06-30
Advisory published
2026-05-05
Advisory updated
2026-06-30

Who should care

System administrators and security teams responsible for managing Redis instances should be aware of this vulnerability. They should assess their current Redis setup, especially if replica-read-only is disabled, and consider applying the patch or workarounds to prevent potential exploitation.

Technical summary

The vulnerability exists in the Lua scripting feature of Redis. When replica-read-only is disabled on a replica, an authenticated attacker can manipulate the master-replica synchronization process to cause a use-after-free error. This could allow for remote code execution on the replica. The issue is addressed in Redis version 8.6.3. Users can also mitigate the risk by restricting Lua script execution or ensuring replica-read-only is enabled on replicas.

Defensive priority

Apply the patch: Upgrade to Redis version 8.6.3 or later to fix the vulnerability. Restrict Lua scripting: Prevent users from executing Lua scripts if possible. Configure replicas: Ensure replica-read-only is enabled on replicas to limit the attack surface.

Recommended defensive actions

  • Apply the patch by upgrading to Redis version 8.6.3 or later.
  • Restrict Lua scripting to prevent exploitation.
  • Configure replicas to ensure replica-read-only is enabled.
  • Monitor Redis instances for suspicious activity.
  • Review and update incident response plans to include procedures for potential Redis exploitation.

Evidence notes

The CVE-2026-23631 vulnerability is documented in the official CVE record and the NVD database. The vulnerability is patched in Redis version 8.6.3, as noted in the Redis release notes and security advisories. Additional information is available from various sources, including Red Hat errata.

Official resources

This article is AI-assisted and based on the supplied source corpus.