High severity8.1NVD Advisory· Published May 5, 2026· Updated May 6, 2026
CVE-2026-23631
CVE-2026-23631
Description
Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13- osv-coords11 versionspkg:apk/chainguard/py3.10-redispkg:apk/chainguard/py3.11-redispkg:apk/chainguard/py3-redispkg:bitnami/keydbpkg:bitnami/redispkg:bitnami/valkeypkg:rpm/almalinux/redispkg:rpm/almalinux/redis-develpkg:rpm/almalinux/redis-docpkg:rpm/opensuse/redis&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/valkey&distro=openSUSE%20Tumbleweed
< 0+ 10 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 7.2.0, < 7.2.14
- (no CPE)range: >= 7.2.0, < 7.2.14
- (no CPE)range: < 7.2.13
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 7.2.14-1.module_el9.8.0+258+b8f945d3
- (no CPE)range: < 8.6.3-1.1
- (no CPE)range: < 9.0.4-1.1
Patches
Vulnerability mechanics
References
2- github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826nvdMitigationVendor Advisory
- github.com/redis/redis/releases/tag/8.6.3nvdRelease Notes
News mentions
3- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host ServerCyber Security News · Jun 8, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026