AI Tool Uncovers Two-Year-Old Redis RCE Vulnerability (CVE-2026-23479)
An autonomous AI security tool has discovered a critical use-after-free vulnerability in Redis, allowing authenticated users to execute arbitrary OS commands, which has now been patched.
Redis has addressed a significant use-after-free vulnerability in its blocking-client code, tracked as CVE-2026-23479. This flaw, present since Redis version 7.2.0, allowed authenticated users to execute arbitrary operating system commands on the server hosting the database. The vulnerability was discovered by an autonomous AI tool designed to proactively hunt for bugs in large codebases, highlighting the growing role of AI in cybersecurity.
The vulnerability, introduced through two specific code commits in early 2023 and present for over two years, was rated with a CVSS score of 8.8 by NVD and 7.7 by Redis. It was reported by Team Xint Code, a group known for developing autonomous AI security tools. The flaw resides in the unblockClientOnKey() function within src/blocked.c, where a client pointer is used after it has been freed, leading to a use-after-free condition (CWE-416).
Exploitation of this vulnerability is particularly concerning due to Redis's widespread deployment in cloud environments. Analysis by Wiz indicates that a large majority of cloud instances run Redis without password protection. While the exploit requires an authenticated session, default configurations often grant the default user all necessary privileges, making exploitation feasible in many scenarios.
The exploit chain involves several stages. Initially, a Lua script leaks a heap address. Subsequently, the attacker manipulates client memory limits, parks a large client on a stream, and then reduces the limits, triggering Redis to free the blocked client mid-operation. A pipelined SET command then reclaims the freed memory slot with a fake client structure. This allows the attacker to overwrite a function pointer, such as strcasecmp(), to point to system(), enabling arbitrary command execution.
The official Redis Docker image further simplifies exploitation by shipping with partial RELRO, leaving the Global Offset Table (GOT) writable at runtime. This bypasses protections like ASLR and PIE, as the memory write is relative to a fixed build-time offset. The full exploit chain requires specific ACL permissions, including @admin, @scripting, @stream, and @read/@write, which are often consolidated in default or shared application roles.
Redis stated that there is no evidence of exploitation in its own or customer environments, and no public reports of in-the-wild activity have surfaced as of the publication date. However, the public release of the technical details significantly increases the risk of follow-on exploitation by other threat actors.
Redis has released patched versions for multiple branches, including 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3, all available since May 5th. Users are strongly advised to upgrade to these patched minor versions. For those unable to patch immediately, mitigation strategies include keeping Redis off the public internet, behind TLS, tightening ACLs to prevent combined administrative and scripting privileges, and disabling Lua scripting if not in use.
This discovery by an AI tool underscores a shift in vulnerability detection, where automated systems are proving capable of finding complex, long-standing flaws that may evade traditional code reviews. The vulnerability's presence for two years and its discovery by AI highlights the ongoing challenges in securing widely deployed software and the potential for AI to accelerate both vulnerability discovery and exploitation.