CVE-2025-49844

CVE-2025-49844 affects Redis—an in‑memory data store—with Lua scripting. An authenticated user can abuse a specially crafted Lua script to trigger a use‑after‑free and potentially achieve remote code execution. Affected versions: Redis 8.2.1 and earlier; fix: 8.2.2. Workarounds include ACL‑based ...

CVE-2025-21605

CVE-2025-21605 affects Redis where, in versions starting at 2.6 and before 7.4.3, an unauthenticated client can cause unlimited growth of the output buffer, exhausting memory and potentially crashing the server. The issue occurs because Redis’ default client-output-buffer-limit does not cap norma...

CVE-2025-67733

Valkey is affected by a RESP protocol injection via Lua error_reply. Before versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user could inject information into the response stream through scripting commands, potentially corrupting or returning tampered data to other users on the same connect...

CVE-2026-21863

Valkey (distributed key-value DB) contains a bug in the clusterbus packet processing: before reading a clusterbus ping extension, the code may read outside the buffer if an invalid packet is sent to the clusterbus port. This can be exploited by a malicious actor with access to the clusterbus port...

CVE-2026-27623

CVE-2026-27623 affects Valkey (distributed key-value database). From 9.0.0 up to but not including 9.0.3, an attacker with network access can trigger an assertion by sending crafted requests, because Valkey fails to reset its networking state after processing an empty request. This can cause the ...