Full Report
Redis has patched a use-after-free in its blocking-client code that lets an authenticated user run arbitrary OS commands on the machine hosting the database. The flaw was found by an autonomous AI tool built to hunt bugs in large codebases. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fixes, unnoticed for over two years.
Analysis Summary
# Vulnerability: Use-After-Free in Redis Blocking-Client Code Leading to RCE
## CVE Details
- **CVE ID:** CVE-2026-23479
- **CVSS Score:** 8.8 (High) - NVD / 7.7 (High) - Redis CVSS 4.0
- **CWE:** CWE-416 (Use After Free)
## Affected Systems
- **Products:** Redis (including official Docker images)
- **Versions:** Affected versions range from 7.2.0 to 8.6.2.
- 7.2.x series: 7.2.0 to 7.2.13
- 7.4.x series: 7.4.0 to 7.4.8
- 8.2.x series: 8.2.0 to 8.2.5
- **Configurations:** Systems running with default ACLs or users granted `@admin`, `@scripting`, `@stream`, and `@read`/`@write` permissions are particularly vulnerable. Environments utilizing the official Redis Docker image are at higher risk due to partial RELRO settings.
## Vulnerability Description
The flaw resides in the `unblockClientOnKey()` function within `src/blocked.c`. When a key event wakes a blocked command, the function dispatches the command but continues to use the same client pointer afterward. However, the dispatch process can free the client as a side effect. This results in a Use-After-Free (UAF) condition where Redis reads from a freed memory structure. An attacker can leverage this to overwrite function pointers via memory accounting routines, eventually repointing internal functions to execute shell commands.
## Exploitation
- **Status:** PoC demonstrated; technical chain is public. No confirmed reports of in-the-wild exploitation at the time of publication.
- **Complexity:** High (Requires heap grooming, precise memory reclaimed via pipelining, and specific memory layout knowledge).
- **Attack Vector:** Network (Authenticated session required).
## Impact
- **Confidentiality:** High (Full OS command execution allows access to all data).
- **Integrity:** High (Attacker can modify database records or system files).
- **Availability:** High (Attacker can crash the service or take control of the host).
## Remediation
### Patches
Upgrade to the following versions (released May 5, 2026) or newer:
- **7.2.14**
- **7.4.9**
- **8.2.6**
- **8.4.3**
- **8.6.3**
### Workarounds
- **ACL Restriction:** Disable or restrict the `CONFIG` command for untrusted users to break the specific exploitation chain.
- **Minimize Privileges:** Audit ACLs to ensure the default user or application accounts do not have unnecessary access to the `@admin` or `@scripting` categories.
- **Authentication:** Ensure all Redis instances require a strong password, as the exploit requires an authenticated session.
## Detection
- **Indicators of Compromise:** Monitor for unusual shell command execution originating from the Redis process (`system()` calls). Audit Redis logs for unexpected `CONFIG SET` or `EVAL` usage.
- **Detection Methods:** Vulnerability scanners updated with CVE-2026-23479 signatures. Static analysis of internal memory accounting metrics for anomalies.
## References
- **Vendor Advisory:** [https://redis.io/blog/security-advisory-cve202623479-cve202625243-cve-2026-25588-cve2026-25589-cve-2026-23631/]
- **NVD Entry:** [https://nvd.nist.gov/vuln/detail/CVE-2026-23479]
- **Technical Deep Dive:** [https://www.zeroday.cloud/blog/redis-cve-2026-23479-deep-dive]
- **Tool Information:** [https://theori.io/blog/announcing-xint-code]