7.5

CVE-2026-21863

EPSS 0.02%
Veröffentlicht 23.02.2026 19:41:28
Zuletzt bearbeitet 25.02.2026 17:49:51
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lfprojects ≫ Valkey Version < 7.2.12

Lfprojects ≫ Valkey Version >= 8.0.0 < 8.0.7

Lfprojects ≫ Valkey Version >= 8.1.0 < 8.1.6

Lfprojects ≫ Valkey Version >= 9.0.0 < 9.0.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.043

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-125 Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-21863

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-21863

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-21863

EUVD