CVE-2026-54341 in dragonfly
Summary
by MITRE • 06/26/2026
Dragonfly is an in-memory data store built for modern application workloads. Prior to 1.39.0, a crafted RESTORE payload triggers an out-of-bounds read in DragonflyDB's listpack collection loaders, crashing the entire server process (SIGSEGV). Because DragonflyDB requires no authentication by default and RESTORE is a normal keyspace command, an unauthenticated remote attacker can crash the server with a single ~24-byte command — a remote, repeatable denial of service. This vulnerability is fixed in 1.39.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability affects DragonflyDB, an in-memory data store designed for modern application workloads that serves as a Redis-compatible database system. The flaw exists in the listpack collection loaders within DragonflyDB's implementation prior to version 1.39.0. A crafted RESTORE payload can trigger an out-of-bounds read condition that results in a segmentation fault and complete server crash. This represents a critical security issue because DragonflyDB operates without requiring authentication by default, making it particularly vulnerable to exploitation. The attack vector requires only a single approximately 24-byte RESTORE command to execute successfully, demonstrating the severity of the vulnerability.
The technical implementation of this flaw resides in how DragonflyDB processes listpack data structures during the RESTORE operation. When processing maliciously crafted payload data, the system fails to properly validate bounds checking within its internal listpack collection loaders. This allows an attacker to manipulate memory access patterns that exceed allocated buffer boundaries, resulting in a segmentation violation that terminates the entire server process. The vulnerability directly maps to CWE-129, which addresses improper validation of length parameters, and CWE-787, concerning out-of-bounds write operations. The specific nature of this issue constitutes an exploitable memory corruption vulnerability that can be leveraged for remote code execution or system compromise.
The operational impact of this vulnerability extends beyond simple service disruption as it enables a remote, unauthenticated attacker to perform repeatable denial of service attacks against DragonflyDB instances. This means that any system running an affected version of DragonflyDB is immediately at risk upon exposure to the internet, as no authentication is required for the RESTORE command. The minimal payload size of approximately 24 bytes makes this attack particularly efficient and difficult to detect in network traffic monitoring systems. Attackers can repeatedly exploit this vulnerability to keep target servers continuously unavailable, effectively rendering them unusable for legitimate operations.
Mitigation strategies for this vulnerability require immediate deployment of DragonflyDB version 1.39.0 or later, which includes proper bounds checking and input validation within the listpack collection loaders. Organizations should also consider implementing network-level restrictions such as firewall rules that limit access to DragonflyDB ports to trusted IP addresses only, though this is secondary to patching the core vulnerability. The remediation process should include thorough testing of the updated version in staging environments to ensure compatibility with existing applications and workloads. Additionally, security teams should monitor for any potential exploitation attempts through network logs and implement intrusion detection systems that can identify suspicious RESTORE command patterns. This vulnerability highlights the importance of proper input validation in database systems and demonstrates how seemingly minor implementation flaws can result in complete system compromise without authentication requirements.