CVE Daily – Valkey

[Medium] CVE-2026-21864 – Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) ...

Tue, 24 Feb 2026 01:16:12 +0000

Medium CVE-2026-21864

Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDL…

CVSS: 6.5 · CWE: CWE-20

View on NVD

[High] CVE-2026-27623 – Valkey is a distributed key-value database. Starting in version 9.0.0 and prior ...

Mon, 23 Feb 2026 20:28:55 +0000

High CVE-2026-27623

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server inco…

CVSS: 7.5 · CWE: CWE-20

View on NVD

[High] CVE-2026-21863 – Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0...

Mon, 23 Feb 2026 20:28:53 +0000

High CVE-2026-21863

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clust…

CVSS: 7.5 · CWE: CWE-125

View on NVD

[High] CVE-2025-67733 – Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0...

Mon, 23 Feb 2026 20:28:53 +0000

High CVE-2025-67733

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9…

CVSS: 8.5 · CWE: CWE-74

View on NVD

[Low] CVE-2025-49112 – setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflo...

Mon, 02 Jun 2025 05:15:21 +0000

Low CVE-2025-49112

setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.

CVSS: 3.1 · CWE: CWE-191

View on NVD

[Medium] CVE-2025-23145 – In the Linux kernel, the following vulnerability has been resolved: mptcp: fix ...

Thu, 01 May 2025 13:15:50 +0000

Medium CVE-2025-23145

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix NULL pointer in can_accept_new_subflow When testing valkey benchmark tool with MPTCP, the kernel panics in 'mptcp_can_accept_new_subflow' because subflow_req->msk is NULL. Call trace: mptcp_can_accept_new_subflow (./net/mptcp/subflow.c:63 (discriminator 4)) (P) subflow_syn_recv_sock (./net/mptcp/subflow.c:854)…

CVSS: 5.5 · CWE: CWE-476

View on NVD