← Back to Vulnerability Reports CVE Intelligence

CVE-2026-23479

RedisHIGH · CVSS 8.8No exploitation reported

What is CVE-2026-23479?

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

CVSS8.8 NVD 3.1
SeverityHIGH
ExploitationNo exploitation reported
EPSS<1% · P28
Triage statusNo Known Exploit
ActionPatch this week
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWECWE-416
NVD published2026-05-05
NVD last modified2026-05-06

Affected product

Redis

Remediation Steps

  1. Apply the vendor security update for Redis as a priority.
  2. Restrict network exposure of the affected service to trusted sources until patched.
  3. Review logs and detections for indicators of exploitation.
  4. Confirm fixed versions against the official vendor advisory before deploying.

References

Coverage on defend.network

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

Get Critical CVE Alerts

Subscribe free and hear about actively exploited CVEs like this one first.