CVE-2026-21863 is an out-of-bounds read vulnerability (CWE-125) in the Valkey distributed key-value database's clusterbus packet processing component. Valkey versions prior to 7.2.12, 8.0.7, 8.1.6, and 9.0.2 are affected. The vulnerability occurs because the code handling clusterbus ping extension packets does not verify that the extension packet lies within the bounds of the clusterbus packet buffer before attempting to read it. This improper validation allows a remote attacker with network access to the clusterbus port to send a malformed packet that triggers an out-of-bounds read. The consequence of this memory access violation is a potential system crash, leading to denial of service (DoS). The vulnerability requires no privileges or user interaction, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 base score is 7.5 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, no user interaction, and an impact limited to availability (system crash). No known exploits have been reported in the wild yet. The vendor has released fixed versions 7.2.12, 8.0.7, 8.1.6, and 9.0.2 that address this issue by adding proper bounds checking. Additional recommended mitigations include not exposing the clusterbus port directly to end users and protecting it with dedicated network access control lists (ACLs) to limit exposure to trusted hosts only.

The primary impact of CVE-2026-21863 is denial of service caused by system crashes due to out-of-bounds memory reads. Organizations running vulnerable versions of Valkey risk unplanned downtime and service disruption, which can affect availability of critical distributed key-value database services. This can degrade application performance, interrupt business operations, and potentially cause cascading failures in systems dependent on Valkey for data storage and retrieval. Since the vulnerability is remotely exploitable without authentication, attackers can launch DoS attacks from anywhere on the network if the clusterbus port is exposed. Although no direct confidentiality or integrity impacts are indicated, the availability impact alone can be significant for enterprises relying on Valkey for high-availability data services. The lack of known exploits in the wild reduces immediate risk, but the simplicity of exploitation and network exposure means attackers may develop exploits quickly. Organizations with Valkey deployments in critical infrastructure, cloud services, or financial systems could face operational and reputational damage if exploited.

1. Upgrade all Valkey deployments to the fixed versions 7.2.12, 8.0.7, 8.1.6, or 9.0.2 as soon as possible to eliminate the vulnerability. 2. Restrict network access to the Valkey clusterbus port by implementing strict network ACLs that allow only trusted hosts and administrative systems to connect. 3. Avoid exposing the clusterbus port directly to end users or untrusted networks, including the internet. 4. Monitor network traffic to the clusterbus port for anomalous or malformed packets that could indicate exploitation attempts. 5. Employ network segmentation to isolate Valkey clusterbus traffic from general user traffic. 6. Implement robust logging and alerting on Valkey nodes to detect crashes or unusual behavior indicative of exploitation. 7. Conduct regular vulnerability scans and penetration tests to verify that the clusterbus port is properly protected and patched. 8. Develop incident response plans specifically addressing potential denial of service attacks against Valkey services. 9. Consider deploying network intrusion prevention systems (IPS) with signatures to detect malformed clusterbus packets once available. These steps go beyond generic advice by focusing on network-level protections specific to the clusterbus port and emphasizing rapid patching and monitoring.