Valkey is a high-performance in-memory key-value store supporting complex data types and atomic operations, with features including Lua scripting and master-slave replication. Two vulnerabilities have been fixed in Valkey: CVE-2025-67733, which allows data tampering and denial of service due to improper null character handling in Lua scripts, and CVE-2026-21863, which causes denial of service through invalid clusterbus packets. These issues affect Red Hat Enterprise Linux 10 and related packages. Red Hat Product Security has released an update (valkey-8.0.7-1.el10_1) to address these vulnerabilities. The advisory classifies the impact as Important, and users should refer to the official Red Hat errata RHSA-2026:3443 for update instructions.

The vulnerabilities can lead to data tampering and denial of service conditions in Valkey deployments. Specifically, improper null character handling in Lua scripts may allow manipulation of data or service disruption, while malformed clusterbus packets can cause denial of service. These impacts affect the integrity and availability of services relying on Valkey. No evidence of active exploitation has been reported.

Red Hat has released an official security update for Valkey (version 8.0.7-1.el10_1) that addresses these vulnerabilities. Users running affected versions of Red Hat Enterprise Linux 10 should apply this update promptly following Red Hat's guidance at https://access.redhat.com/articles/11258. Since this is an on-premises product, remediation requires manual patching. There are no vendor statements indicating that no action is required or that the issue is already mitigated without patching.