The vulnerability CVE-2026-21864 resides in the valkey-bloom module, a Rust-based extension that adds Bloom Filter data types to the Valkey distributed key-value database. The issue stems from improper input validation (CWE-20) during the handling of the RESTORE command, which is used to restore database state from an RDB (Redis Database) format. Prior to the patch introduced in commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, the valkey-bloom module failed to set the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag. This flag instructs the module to handle I/O errors gracefully during RDB parsing. Without this flag, any error encountered during parsing triggers a system assertion failure, causing the Valkey server to shut down unexpectedly. This results in a denial-of-service (DoS) condition. The vulnerability requires an attacker to send a specially crafted RESTORE command over the network, which can be done with low privileges and without user interaction. The patch corrects this by setting the appropriate flag, enabling error handling and preventing server crashes. Alternatively, disabling the RESTORE command if it is not needed can mitigate the risk. No evidence of active exploitation has been reported, but the vulnerability poses a risk to availability for affected systems.

The primary impact of CVE-2026-21864 is a denial-of-service condition caused by server shutdowns triggered by malformed RESTORE commands. This can disrupt availability of services relying on the Valkey distributed key-value database with the valkey-bloom module. Organizations using affected versions may experience unexpected outages, potentially affecting critical applications that depend on Valkey for data storage and retrieval. Since the vulnerability does not affect confidentiality or integrity, the risk is limited to availability. However, the ease of exploitation over the network and the lack of required user interaction increase the likelihood of attack attempts. Systems exposed to untrusted networks or with insufficient access controls are particularly at risk. The impact is more severe for environments where high availability and uptime are critical, such as financial services, telecommunications, and cloud service providers using Valkey. Although no known exploits are currently reported, the vulnerability should be treated seriously to avoid service disruptions.

To mitigate CVE-2026-21864, organizations should immediately update the valkey-bloom module to the version including commit a68614b6e3845777d383b3a513cedcc08b3b7ccd or later, which sets the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag and properly handles RDB parsing errors. If updating is not immediately feasible, disabling the RESTORE command in the Valkey configuration is a practical interim measure to prevent exploitation. Network-level controls such as firewall rules should restrict access to the Valkey server, limiting RESTORE command usage to trusted administrators only. Monitoring logs for unusual RESTORE command activity can help detect attempted exploitation. Additionally, implementing rate limiting on the Valkey server may reduce the risk of denial-of-service attacks. Regularly auditing and testing the Valkey environment for proper error handling and applying security patches promptly will further reduce risk. Finally, organizations should review their incident response plans to address potential service outages caused by this vulnerability.