CVE-2026-21863 in valkeyinfo

Summary

by MITRE • 02/23/2026

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability identified as CVE-2026-21863 affects Valkey, a distributed key-value database system that serves as a fork of Redis. This security flaw represents a critical buffer over-read condition that can lead to system instability and potential denial of service scenarios. The vulnerability specifically impacts versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12, indicating a widespread issue affecting multiple major release lines of the database software. The flaw manifests through the clusterbus packet processing mechanism, which is responsible for maintaining communication between Valkey instances in a distributed cluster configuration.

The technical root cause of this vulnerability lies in insufficient input validation within the clusterbus packet processing code. When processing clusterbus ping extension packets, the system fails to verify that these extension packets are properly contained within the boundaries of the clusterbus packet buffer before attempting to read them. This oversight creates a classic buffer over-read condition where the application attempts to access memory locations beyond the allocated buffer space. The vulnerability operates at the protocol level, specifically targeting the clusterbus communication port which is used for cluster membership and gossip protocols. According to CWE classification, this represents a CWE-129: Improper Validation of Array Index vulnerability, where the system does not properly validate that array indices are within acceptable ranges before accessing memory locations. The flaw enables an attacker to craft malicious packets that can cause the Valkey process to read beyond intended memory boundaries, potentially leading to memory corruption and system crashes.

The operational impact of CVE-2026-21863 extends beyond simple service disruption to potentially compromise the entire database cluster's stability and availability. A malicious actor with access to the clusterbus port can exploit this vulnerability to cause arbitrary code execution or system crashes, leading to denial of service for legitimate database operations. The vulnerability is particularly concerning because the clusterbus port typically requires minimal authentication, making it an attractive target for attackers who can gain access through network reconnaissance or other means. In a production environment, this could result in cascading failures across the entire distributed database infrastructure, affecting data availability and application performance. The vulnerability aligns with ATT&CK technique T1499.004: Endpoint Denial of Service, where adversaries target system resources to prevent normal operation of services. The potential for remote code execution through memory corruption makes this vulnerability particularly dangerous in environments where the clusterbus port is exposed to untrusted networks.

The remediation for this vulnerability requires immediate deployment of patched versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, which contain the necessary code modifications to properly validate clusterbus packet boundaries. Beyond the software patch, network security measures should be implemented to protect the clusterbus communication channel. Organizations should implement network access controls that restrict direct exposure of the clusterbus port to end users, as recommended in the advisory. The use of dedicated network ACLs for the clusterbus connection provides an additional layer of protection by limiting access to only trusted cluster members and management interfaces. This approach aligns with the principle of least privilege and network segmentation practices commonly recommended in cybersecurity frameworks such as NIST SP 800-53. The vulnerability demonstrates the importance of input validation in network protocol implementations and highlights the need for robust buffer management practices in distributed systems. Security teams should also implement monitoring for unusual network traffic patterns on clusterbus ports and establish incident response procedures for handling potential exploitation attempts. The vulnerability serves as a reminder of the critical importance of validating all network inputs in distributed systems and the potential consequences of inadequate boundary checking in protocol implementations.

Responsible

GitHub M

Reservation

01/05/2026

Disclosure

02/23/2026

Moderation

accepted

CPE

ready

EPSS

0.00552

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!