Valkey-Bloom is a Rust-based module that integrates a Bloom Filter data type into the Valkey distributed key-value database. The vulnerability CVE-2026-21864 stems from improper input validation (CWE-20) in handling the RESTORE command, which is used to restore database state from an RDB file. Before the patch in commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, the valkey-bloom module did not set the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag, which instructs the system to handle I/O errors gracefully during RDB parsing. Without this flag, any error encountered during parsing triggers a system assertion failure, causing the Valkey server to shut down abruptly. This denial-of-service condition can be triggered remotely by sending a specially crafted RESTORE command, exploiting the lack of proper input validation. The patch fixes this by setting the required flag, ensuring errors are handled without crashing the server. Alternatively, disabling the RESTORE command can mitigate the risk if the feature is not needed. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impact limited to availability loss.

The primary impact of CVE-2026-21864 is a denial-of-service (DoS) condition where an attacker can remotely cause the Valkey server to crash by sending a malformed RESTORE command. This disrupts availability of the Valkey distributed key-value database, potentially affecting applications and services relying on it for data storage and retrieval. In environments where Valkey is used for critical data infrastructure, such as real-time analytics, caching, or distributed storage, this could lead to service outages and operational disruptions. Since the vulnerability does not affect confidentiality or integrity, data leakage or corruption risks are minimal. However, repeated exploitation could degrade service reliability and increase operational costs due to downtime and recovery efforts. The requirement for low privileges and no user interaction lowers the barrier for attackers, increasing the likelihood of exploitation in exposed network environments.

Organizations should immediately upgrade valkey-bloom to versions including or later than commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, which contains the patch setting the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag to properly handle RDB parsing errors. If upgrading is not immediately feasible, disabling the RESTORE command in the Valkey configuration is a practical interim mitigation to prevent exploitation. Network-level controls such as firewall rules or access control lists should restrict access to the Valkey server ports to trusted hosts only, minimizing exposure to untrusted networks. Monitoring logs for unusual RESTORE command usage or assertion failures can help detect attempted exploitation. Additionally, implementing redundancy and failover mechanisms can reduce service impact in case of a crash. Regularly reviewing and applying security updates for Valkey modules is essential to maintain resilience against similar vulnerabilities.