Use-After-Free Vulnerability in Redis Server by Redis Labs
CVE-2026-23479

7.7HIGH

Key Information:

Vendor: Redis
Status: Redis
Vendor: CVE Published:; 5 May 2026

Badges

🔥 Trending now📈 Trended📈 Score: 3,130👾 Exploit Exists📰 News Worthy

What is CVE-2026-23479?

CVE-2026-23479 is a critical use-after-free vulnerability identified in the Redis server, a widely-used in-memory data structure store employed by numerous applications for real-time data processing and caching. This vulnerability affects versions from 7.2.0 up to 8.6.3 and allows an authenticated attacker to exploit an error within the unblock client flow. Specifically, during the re-execution of a blocked command, if a client is evicted without handling the resultant error appropriately, it may lead to a use-after-free condition. This flaw could consequently enable the attacker to execute arbitrary code remotely, posing a severe risk to any organization employing affected versions of Redis. The potential for remote code execution can compromise systems and lead to unauthorized data manipulation or exfiltration.

Potential Impact of CVE-2026-23479

Remote Code Execution: The most significant risk associated with this vulnerability is the possibility for an attacker to achieve remote code execution on the affected systems, potentially allowing them to take full control over the server environment.
Data Integrity Threats: The ability to execute arbitrary code can lead to unauthorized access and modifications of critical data stored within Redis. This can undermine data integrity, leading organizations to face serious repercussions, including loss of sensitive information and business reputation.
System Compromise: Exploiting this vulnerability could allow an attacker not just to access the Redis server but also to pivot into deeper network layers or other connected systems, significantly broadening the impact of the attack and enhancing the malicious actor's foothold within an organization’s infrastructure.