High severity8.8NVD Advisory· Published May 5, 2026· Updated May 6, 2026
CVE-2026-25243
CVE-2026-25243
Description
Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
16- osv-coords13 versionspkg:apk/chainguard/py3.10-redispkg:apk/chainguard/py3.11-redispkg:apk/chainguard/py3.12-redispkg:apk/chainguard/py3.13-redispkg:apk/chainguard/py3-redispkg:bitnami/keydbpkg:bitnami/redispkg:bitnami/valkeypkg:rpm/almalinux/redispkg:rpm/almalinux/redis-develpkg:rpm/almalinux/redis-docpkg:rpm/opensuse/redis&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/valkey&distro=openSUSE%20Tumbleweed
< 0+ 12 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 6.2.22
- (no CPE)range: < 6.2.22
- (no CPE)range: < 7.2.13
- (no CPE)range: < 6.2.22-1.el9_8
- (no CPE)range: < 6.2.22-1.el9_8
- (no CPE)range: < 6.2.22-1.el9_8
- (no CPE)range: < 8.6.3-1.1
- (no CPE)range: < 9.0.4-1.1
Patches
Vulnerability mechanics
References
2- github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4nvdMitigationVendor Advisory
- github.com/redis/redis/releases/tag/8.6.3nvdRelease Notes
News mentions
2- ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and MoreThe Hacker News · Jun 8, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026