PatchSiren cyber security CVE debrief
CVE-2026-27623 valkey-io CVE debrief
CVE-2026-27623 is a HIGH severity vulnerability in Valkey, a distributed key-value database. A malicious actor with network access can cause the system to abort by triggering an assertion. The issue arises from the system's improper handling of empty requests, allowing an attacker to send a request that the server incorrectly identifies as breaking server-side invariants, resulting in the server shutting down. This vulnerability affects Valkey versions 9.0.0 to 9.0.2 and is fixed in version 9.0.3. As an additional mitigation, it is recommended to properly isolate Valkey deployments so that only trusted users have access.
- Vendor
- valkey-io
- Product
- valkey
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-23
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-23
- Advisory updated
- 2026-06-30
Who should care
Organizations using Valkey versions 9.0.0 to 9.0.2 should be concerned about this vulnerability. The issue allows a malicious actor with network access to cause the system to shut down, potentially leading to denial-of-service attacks. Users of Valkey should update to version 9.0.3 or apply additional mitigations to prevent exploitation.
Technical summary
The vulnerability in Valkey arises from the improper resetting of networking state after processing an empty request. This allows a malicious actor to send a crafted request that the server incorrectly identifies as a threat to server-side invariants, causing the server to shut down. The issue is addressed in Valkey version 9.0.3. The CVSS score for this vulnerability is 7.5, indicating a HIGH severity level. The attack vector is network-based, with low attack complexity and no required privileges or user interaction.
Defensive priority
High priority should be given to updating Valkey to version 9.0.3. Additionally, consider isolating Valkey deployments to limit access to trusted users only.
Recommended defensive actions
- Update Valkey to version 9.0.3 or later.
- Isolate Valkey deployments to restrict access to trusted users.
- Monitor Valkey instances for unusual activity.
- Review and adjust network access controls to limit exposure.
- Consider implementing additional security measures to detect and prevent similar attacks.
Evidence notes
The CVE-2026-27623 vulnerability is documented in the NVD database and has a CVSS score of 7.5. The issue is caused by the improper handling of empty requests in Valkey versions 9.0.0 to 9.0.2. The vulnerability can be exploited by a malicious actor with network access, potentially leading to a denial-of-service attack. The fix is included in Valkey version 9.0.3.
Official resources
-
CVE-2026-27623 CVE record
CVE.org
-
CVE-2026-27623 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.