High severity8.8NVD Advisory· Published May 5, 2026· Updated May 6, 2026
CVE-2026-23479
CVE-2026-23479
Description
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from processCommandAndResetClient when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
15- osv-coords12 versionspkg:apk/chainguard/py3.10-redispkg:apk/chainguard/py3.12-redispkg:apk/chainguard/py3.13-redispkg:apk/chainguard/py3-redispkg:bitnami/keydbpkg:bitnami/redispkg:bitnami/valkeypkg:rpm/almalinux/redispkg:rpm/almalinux/redis-develpkg:rpm/almalinux/redis-docpkg:rpm/opensuse/redis&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/valkey&distro=openSUSE%20Tumbleweed
< 0+ 11 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 7.2.0, < 7.2.14
- (no CPE)range: >= 7.2.0, < 7.2.14
- (no CPE)range: < 7.2.13
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 8.6.3-1.1
- (no CPE)range: < 9.0.4-1.1
Patches
Vulnerability mechanics
References
2- github.com/redis/redis/security/advisories/GHSA-93m2-935m-8rj3nvdVendor Advisory
- github.com/redis/redis/releases/tag/8.6.3nvdRelease Notes
News mentions
4- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)The Hacker News · Jun 3, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026