CVE-2026-23479 HIGH

CVE-2026-23479: redis-server use-after-free in unblock client flow may allow remote code execution

Vendor Redis
Product redis
Weakness CWE-416
Published May 5, 2026
Last update June 30, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

Key dates

02Disclosure timeline

May 5, 2026 CVE published
June 30, 2026 Record updated