Valkey is a distributed key-value database used for scalable data storage. Versions 9.0.0 up to but not including 9.0.3 contain a vulnerability classified as CWE-20 (Improper Input Validation). The vulnerability occurs because the Valkey server does not properly reset its networking state after processing an empty request. An attacker with network access can exploit this by sending a specially crafted request that the server misinterprets as violating internal server invariants. This triggers an assertion failure within the server code, causing the server process to abort unexpectedly. The failure results in a denial-of-service (DoS) condition, as the server becomes unavailable until restarted. The vulnerability requires no authentication or user interaction, and the attack surface is network-exposed, making it relatively easy to exploit remotely. The CVSS v3.1 base score is 7.5 (high), reflecting the ease of exploitation and impact on availability. The issue was addressed in Valkey version 9.0.3 by fixing the input validation and networking state reset logic. Additional recommended mitigations include isolating Valkey deployments so that only trusted users have network access to the service, reducing exposure to potential attackers.

The primary impact of CVE-2026-27623 is denial of service due to server process termination. Organizations relying on Valkey for critical data storage and retrieval may experience service outages, leading to application downtime and potential disruption of business operations. Since the vulnerability can be exploited remotely without authentication, attackers can cause repeated crashes, potentially leading to sustained unavailability. This can affect data accessibility and system reliability, especially in environments where Valkey is a core component of infrastructure. Although the vulnerability does not directly compromise confidentiality or integrity, the availability impact can indirectly affect business continuity and user trust. Systems exposed to untrusted networks are at higher risk, and organizations with high-availability requirements or those operating in sectors where downtime has significant consequences (e.g., finance, healthcare) are particularly vulnerable.

1. Upgrade all Valkey instances to version 9.0.3 or later immediately to apply the official fix. 2. Restrict network access to Valkey servers by implementing strict firewall rules and network segmentation, ensuring only trusted and authorized users or systems can communicate with the database. 3. Monitor network traffic to Valkey servers for unusual or malformed requests that could indicate exploitation attempts. 4. Implement automated service monitoring and restart mechanisms to minimize downtime if a crash occurs. 5. Conduct regular vulnerability assessments and penetration testing focused on Valkey deployments to detect potential weaknesses. 6. Review and harden configuration settings of Valkey to minimize exposure and enforce least privilege principles. 7. Maintain an incident response plan that includes procedures for handling denial-of-service events affecting critical database services.