CVE-2026-21863 (GCVE-0-2026-21863)

Vulnerability from cvelistv5 – Published: 2026-02-23 19:41 – Updated: 2026-02-23 19:41
VLAI?
Title
Malformed Valkey Cluster bus message can lead to Remote DoS
Summary
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
valkey-io valkey Affected: < 7.2.12
Affected: >= 8.0.0, < 8.0.7
Affected: >= 8.1.0, < 8.1.6
Affected: >= 9.0.0, < 9.0.2
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "valkey",
          "vendor": "valkey-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.2.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.1.0, \u003c 8.1.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don\u0027t expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125: Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-23T19:41:28.783Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"
        }
      ],
      "source": {
        "advisory": "GHSA-c677-q3wr-gggq",
        "discovery": "UNKNOWN"
      },
      "title": "Malformed Valkey Cluster bus message can lead to Remote DoS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-21863",
    "datePublished": "2026-02-23T19:41:28.783Z",
    "dateReserved": "2026-01-05T16:44:16.367Z",
    "dateUpdated": "2026-02-23T19:41:28.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-21863\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-23T20:28:53.853\",\"lastModified\":\"2026-02-24T14:13:49.320\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don\u0027t expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.\"},{\"lang\":\"es\",\"value\":\"Valkey es una base de datos distribuida de clave-valor. Antes de las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12, un actor malicioso con acceso al puerto clusterbus de Valkey puede enviar un paquete inv\u00e1lido que puede causar una lectura fuera de l\u00edmites, lo que podr\u00eda resultar en la ca\u00edda del sistema. El c\u00f3digo de procesamiento de paquetes clusterbus de Valkey no valida que un paquete de extensi\u00f3n ping de clusterbus est\u00e9 ubicado dentro del b\u00fafer del paquete clusterbus antes de intentar leerlo. Las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12 solucionan el problema. Como una mitigaci\u00f3n adicional, no exponga la conexi\u00f3n del bus de cl\u00faster directamente a los usuarios finales y proteja la conexi\u00f3n con sus propias ACL de red.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"references\":[{\"url\":\"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.