Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN209
_____________________________________________________________________

DATE                : 24/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running valkey-server (valkey-io)
                      versions prior to 9.0.3, 8.1.6, 8.0.7, 7.2.12.

=====================================================================
https://github.com/valkey-io/valkey/security/advisories/GHSA-93p9-5vc7-8wgr
https://github.com/valkey-io/valkey/security/advisories/GHSA-p876-p7q5-hv2m
https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq
_____________________________________________________________________


Pre-Authentication DOS from malformed RESP request
High
madolson published GHSA-93p9-5vc7-8wgr Feb 23, 2026

Package
valkey-server (valkey-io)

Affected versions
=>9.0.0, <= 9.0.2

Patched versions
9.0.3


Description

Impact

A malicious actor with network access to Valkey can cause the system
to abort by triggering an assertion.


Details

When processing incoming requests, the Valkey system does not properly
reset the networking state after processing an empty request. A
malicious actor can then send a request that the server incorrectly
identifies as breaking server side invariants, which results in the
server shutting down.


Mitigation

When possible, we recommend making sure to properly isolate your Valkey
deployments so that only trusted users have access.


Credits

The problem was reported by NVIDIA Networking Security researchers:
Daniel Bransky github.com/dBransky
Eliya Cohen github.com/eliyacohen-hub


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-27623

Weaknesses
Weakness CWE-20

Credits

    @dBransky dBransky Reporter
    @eliyacohen-hub eliyacohen-hub Reporter


_____________________________________________________________________


RESP Protocol Injection via Lua error_reply
High
madolson published GHSA-p876-p7q5-hv2m Feb 23, 2026

Package
valkey-server (valkey-io)

Affected versions
<= 9.0.1

Patched versions
9.0.2, 8.1.6, 8.0.7, 7.2.12


Description

Impact

A malicious user can use scripting commands to inject arbitrary
information into the response stream for the given client,
potentially corrupting or returning tampered data to other users
on the same connection.


Details

The error handling code for lua scripts does not properly handle
null characters.


Mitigation

No additional mitigations are provided.


Credits

The problem was reported by https://github.com/jylab.


Severity
High
8.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

CVE ID
CVE-2025-67733

Weaknesses
No CWEs

Credits

    @JYlab JYlab Finder


_____________________________________________________________________


Remote DoS with malformed Valkey Cluster bus message
Moderate
madolson published GHSA-c677-q3wr-gggq Feb 23, 2026

Package
valkey-server

Affected versions
<= 9.0.2

Patched versions
9.0.3, 8.1.6, 8.0.7, 7.2.12


Description

Impact

A malicious actor with access to the Valkey clusterbus port can send
an invalid packet that may cause an out bound read, which might
result in the Valkey process being terminated.


Details

The Valkey clusterbus packet processing code does not validate that
a clusterbus ping extension packet is located within the buffer of
the clusterbus packet before attempting to read it. Attempting to
read memory outside of allocated memory for the process can crash
the server.


Mitigation

We recommend the cluster bus port not be exposed directly to end
users and be protected by its own network ACLs.


Credits

Discovered by 0x Kato 0xkkato@gmail.com


Severity
Moderate
6.5/ 10

CVSS v3 base metrics
Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID
CVE-2026-21863

Weaknesses
Weakness CWE-125


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================