A critical remote code execution vulnerability, tracked as CVE-2026-23479, has been discovered in Redis, a popular in-memory data structure store. This flaw, present since Redis version 7.2.0, remained undetected for over two years before being publicly disclosed, according to a recent report by The Hacker News.The vulnerability, rated 8.8 by CVSS 3.1 and 7.7 by CVSS 4.0, resides in the unblockClientOnKey() function within src/blocked.c. It's a use-after-free flaw that occurs when a client pointer is used after it has been freed as a side effect of processing a command. This issue was introduced through two commits in early 2023 and made its way into stable releases. The exploit chain, demonstrated by Team Xint Code, begins with a Lua script to leak a heap pointer, followed by manipulating client memory to achieve a use-after-free. Subsequently, it overwrites a function pointer in the Global Offset Table to redirect execution to system(), enabling remote code execution.The vulnerability requires an authenticated session with specific ACL privileges, which are often granted to default users in many cloud deployments. Wiz's analysis highlights that Redis is prevalent in cloud environments, with many instances running without passwords, increasing the attack surface. Redis has released patches, including versions 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3, urging users to upgrade immediately. Mitigation strategies include restricting public internet access, tightening ACLs, and denying scripting if Lua is not in use.Source: The Hacker News
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds