CVE-2026-27623
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| valkey-io | valkey | >= 9.0.0, < 9.0.3 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
Valkey: Valkey: Denial of Service via specially crafted network requests
Additional References
- https://access.redhat.com/security/cve/CVE-2026-27623
- https://bugzilla.redhat.com/show_bug.cgi?id=2442021
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27623.json
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.