CVE-2026-21863: CWE-125: Out-of-bounds Read in valkey-io valkey
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
AI Analysis
Technical Summary
CVE-2026-21863 is an out-of-bounds read vulnerability classified under CWE-125 affecting the Valkey distributed key-value database. The vulnerability exists in the clusterbus packet processing component, which handles inter-node communication within a Valkey cluster. Specifically, the code does not verify that the clusterbus ping extension packet lies within the allocated buffer boundaries before attempting to read it. This lack of bounds checking allows a remote unauthenticated attacker with access to the clusterbus port to send a specially crafted invalid packet that triggers an out-of-bounds read. The consequence of this memory access violation is a potential system crash, leading to denial of service. The vulnerability affects multiple Valkey versions prior to 7.2.12, 8.0.7, 8.1.6, and 9.0.2, which contain the necessary fixes. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, no required privileges or user interaction, and the impact limited to availability. No data confidentiality or integrity impacts are noted. The vulnerability does not require authentication, making it more accessible to attackers who can reach the clusterbus port. The vendor recommends upgrading to patched versions and restricting direct exposure of the clusterbus connection to end users by enforcing network ACLs. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation warrant prompt remediation.
Potential Impact
The primary impact of CVE-2026-21863 is denial of service caused by system crashes resulting from out-of-bounds memory reads. For organizations deploying Valkey in distributed database clusters, this can lead to service interruptions, degraded availability, and potential cascading failures if cluster nodes become unresponsive. Although there is no direct compromise of data confidentiality or integrity, the disruption of database availability can affect critical business operations, especially in environments relying on Valkey for real-time data storage and retrieval. Attackers do not require authentication or user interaction, increasing the risk of exploitation if the clusterbus port is exposed to untrusted networks. The vulnerability could be leveraged in targeted attacks against infrastructure using Valkey, potentially impacting cloud services, financial institutions, or enterprises with distributed key-value stores. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability's characteristics make it a candidate for future exploitation attempts. Organizations failing to patch or isolate the clusterbus port may face increased downtime and operational risk.
Mitigation Recommendations
To mitigate CVE-2026-21863, organizations should immediately upgrade Valkey to one of the fixed versions: 7.2.12 or later, 8.0.7 or later, 8.1.6 or later, or 9.0.2 or later. If upgrading is not immediately feasible, network-level protections must be enforced to restrict access to the clusterbus port. This includes implementing strict network ACLs or firewall rules that limit clusterbus port connectivity to trusted internal hosts only, preventing exposure to untrusted networks or the internet. Network segmentation should isolate the Valkey clusterbus communication channels from end-user access and other external systems. Additionally, monitoring network traffic for anomalous or malformed clusterbus packets can help detect attempted exploitation. Regularly auditing Valkey deployments for version compliance and exposure of clusterbus ports is recommended. Finally, organizations should maintain incident response plans to quickly address potential denial-of-service events impacting Valkey clusters.
Affected Countries
United States, Germany, United Kingdom, France, Japan, South Korea, China, India, Canada, Australia
CVE-2026-21863: CWE-125: Out-of-bounds Read in valkey-io valkey
Description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-21863 is an out-of-bounds read vulnerability classified under CWE-125 affecting the Valkey distributed key-value database. The vulnerability exists in the clusterbus packet processing component, which handles inter-node communication within a Valkey cluster. Specifically, the code does not verify that the clusterbus ping extension packet lies within the allocated buffer boundaries before attempting to read it. This lack of bounds checking allows a remote unauthenticated attacker with access to the clusterbus port to send a specially crafted invalid packet that triggers an out-of-bounds read. The consequence of this memory access violation is a potential system crash, leading to denial of service. The vulnerability affects multiple Valkey versions prior to 7.2.12, 8.0.7, 8.1.6, and 9.0.2, which contain the necessary fixes. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the network attack vector, no required privileges or user interaction, and the impact limited to availability. No data confidentiality or integrity impacts are noted. The vulnerability does not require authentication, making it more accessible to attackers who can reach the clusterbus port. The vendor recommends upgrading to patched versions and restricting direct exposure of the clusterbus connection to end users by enforcing network ACLs. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation warrant prompt remediation.
Potential Impact
The primary impact of CVE-2026-21863 is denial of service caused by system crashes resulting from out-of-bounds memory reads. For organizations deploying Valkey in distributed database clusters, this can lead to service interruptions, degraded availability, and potential cascading failures if cluster nodes become unresponsive. Although there is no direct compromise of data confidentiality or integrity, the disruption of database availability can affect critical business operations, especially in environments relying on Valkey for real-time data storage and retrieval. Attackers do not require authentication or user interaction, increasing the risk of exploitation if the clusterbus port is exposed to untrusted networks. The vulnerability could be leveraged in targeted attacks against infrastructure using Valkey, potentially impacting cloud services, financial institutions, or enterprises with distributed key-value stores. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability's characteristics make it a candidate for future exploitation attempts. Organizations failing to patch or isolate the clusterbus port may face increased downtime and operational risk.
Mitigation Recommendations
To mitigate CVE-2026-21863, organizations should immediately upgrade Valkey to one of the fixed versions: 7.2.12 or later, 8.0.7 or later, 8.1.6 or later, or 9.0.2 or later. If upgrading is not immediately feasible, network-level protections must be enforced to restrict access to the clusterbus port. This includes implementing strict network ACLs or firewall rules that limit clusterbus port connectivity to trusted internal hosts only, preventing exposure to untrusted networks or the internet. Network segmentation should isolate the Valkey clusterbus communication channels from end-user access and other external systems. Additionally, monitoring network traffic for anomalous or malformed clusterbus packets can help detect attempted exploitation. Regularly auditing Valkey deployments for version compliance and exposure of clusterbus ports is recommended. Finally, organizations should maintain incident response plans to quickly address potential denial-of-service events impacting Valkey clusters.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-05T16:44:16.367Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699cbd8cbe58cf853bc4b3eb
Added to database: 2/23/2026, 8:50:20 PM
Last enriched: 3/3/2026, 1:24:59 AM
Last updated: 4/9/2026, 10:25:39 PM
Views: 77
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.