Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN462
_____________________________________________________________________

DATE                : 06/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running redis-server.

=====================================================================
https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
https://github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3
https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826
_____________________________________________________________________

Invalid Memory Access in Redis RESTORE Command May Lead to Remote
Code Execution

High	YaacovHazan published GHSA-c8h9-259x-jff4 

Package
redis-server

Affected versions
All

Patched versions
TBD


Description

Impact

A vulnerability in the Redis RESTORE command allows an authenticated user
to trigger an invalid memory access via a specially crafted serialized
payload, potentially resulting in remote code execution.

Successful exploitation could allow an attacker with authenticated access
to execute arbitrary code in the context of the Redis server, potentially
leading to full compromise of the affected system, data exfiltration, or
service disruption

This problem affects all Redis versions.


Details

The vulnerability is caused by insufficient validation of serialized values
processed by the RESTORE command, which allows malformed input to trigger
unsafe memory accesses.

Attack Prerequisites
The attacker must be authenticated to the Redis instance.
The attacker must have permission to execute the RESTORE command.


Workarounds
An additional workaround to mitigate the issue without patching the Redis
server executable is to prevent users from executing the RESTORE command
by applying an appropriate ACL restriction rule.

Credit
Emil Lerner during the Wiz Zeroday Cloud event.
Joseph Surin

Severity
High
7.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
High
Integrity
High
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-25243

Weaknesses
WeaknessCWE-20
WeaknessCWE-122

_____________________________________________________________________

Use-After-Free in unblock client flow may lead to remote code
execution

High	YaacovHazan published GHSA-93m2-935m-8rj3 

Package
redis-server

Affected versions
>= 7.2

Patched versions
TBD


Description

Impact

When a blocked client is evicted while re-executing a blocked command,
an authenticated user may trigger a use-after-free and potentially
lead to remote code execution.

The problem exists in Redis 7.2 or newer.

Details
The code doesn't handle the case where processing the command
(processCommandAndResetClient) returns an error value.

Credits
The issue was reported by independent researcher Xint Code during the
Wiz Zeroday Cloud event.

Severity
High
7.7/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
High
Integrity
High
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-23479

Weaknesses
WeaknessCWE-416

_____________________________________________________________________

Lua Use-After-Free may lead to remote code execution
Moderate	YaacovHazan published GHSA-8ghh-qpmp-7826 

Package
redis-server

Affected versions
All
Patched versions
TBD


Description

Impact
An authenticated user may exploit the synchronization mechanism of the
master-replica and trigger a use-after-free vulnerability, potentially
leading to remote code execution.

The bug affects only replicas that are configured, or may be
configured with replica-read-only disabled , and exists in all
versions of Redis with Lua scripting


Workarounds
An additional workaround to mitigate the problem without patching the
redis-server executable is to prevent users from executing Lua scripts
or avoid using replicas where replica-read-only is disabled


Credit
The issue was reported by independent researcher Yoni Shiraz identified
DarkReplica during the Wiz Zeroday Cloud event.

Severity
Moderate
6.1/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector
Network
Attack Complexity
High
Attack Requirements
None
Privileges Required
Low
User interaction
None
Vulnerable System Impact Metrics
Confidentiality
None
Integrity
High
Availability
High
Subsequent System Impact Metrics
Confidentiality
None
Integrity
None
Availability
None
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2026-23631

Weaknesses
WeaknessCWE-416

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================