top of page
perceptive_background_267k.jpg

Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Published:

3 juni 2026 om 13:47:09

Alert date:

3 juni 2026 om 21:02:42

Source:

thehackernews.com

Click to open the original link from this advisory

Database & Storage, Zero-Day Vulnerabilities, Cloud & Virtualization

An autonomous AI tool discovered a critical 2-year-old remote code execution vulnerability in Redis database software. The flaw, tracked as CVE-2026-23479, is a use-after-free vulnerability in Redis's blocking-client code that allows authenticated users to execute arbitrary OS commands on the host machine. The vulnerability was introduced in Redis 7.2.0 and remained undetected in all stable branches for over two years until it was patched on May 5. This represents a significant security risk given Redis's widespread use in production environments and the severity of allowing remote code execution.

Technical details

CVE-2026-23479 is a use-after-free vulnerability in Redis's blocking-client code located in unblockClientOnKey() function in src/blocked.c. The flaw occurs when a key event wakes a blocked command, and the function dispatches the queued command through processCommandAndResetClient(), then continues using the same client pointer. The processCommandAndResetClient() function can free the client as a side effect, but the caller ignores the return value and reads the freed structure anyway, causing a use-after-free (CWE-416). The exploit chain works in three stages: 1) Leaking a heap address using a one-line Lua script (EVAL "return tostring(redis.call)" 0), 2) Grooming client memory limits and using a pipelined SET to reclaim the freed slot with a fake client structure, 3) Using Redis's memory accounting in updateClientMemoryUsage() to perform an out-of-bounds decrement aimed at the Global Offset Table to repoint strcasecmp() at system(). The vulnerability was introduced by two separate commits in 2023 - a January refactor (PR #11012) that added the unchecked call, and a March change (PR #11568) that added more client access after it.

Mitigation steps:

Upgrade to patched versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3 (all released on May 5). If unable to patch immediately: keep Redis off the public internet and behind TLS, tighten ACLs so no single role holds @admin, CONFIG, and @scripting together, deny @scripting if Lua is not used (which kills the Stage 1 leak). Prioritize internet-exposed instances, shared application credentials, and any role that combines CONFIG, scripting, and stream access. Rotate broadly shared Redis credentials. The full chain requires authenticated session with CONFIG SET, EVAL, stream commands (XREAD/XADD), and basic SET/GET permissions.

Affected products:

Redis 7.2.0 to 7.2.13
Redis 7.4.0 to 7.4.8
Redis 8.2.0 to 8.2.5
Redis 8.4.0 to 8.4.2
Redis 8.6.0 to 8.6.2

Related links:

https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve202625589-cve-2026-23631/
https://nvd.nist.gov/vuln/detail/CVE-2026-23479
https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive
https://github.com/redis/redis/commit/c14e9925e571c3c8ecbeb8632fe834faa32175ea
https://github.com/redis/redis/pull/11012
https://github.com/redis/redis/pull/11568
https://www.zeroday.cloud/
https://theori.io/blog/announcing-xint-code
https://thehackernews.com/2025/10/13-year-redis-flaw-exposed-cvss-100.html

Related CVE's:

Related threat actors:

IOC's:

EVAL "return tostring(redis.call)" 0

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page