Use-After-Free Vulnerability in Redis Affects In-Memory Data Structure Store
CVE-2026-23631

6.1MEDIUM

Key Information:

Vendor: Redis
Status: Redis
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-23631?

An authenticated attacker can exploit a use-after-free vulnerability in the master-replica synchronization mechanism of Redis, specifically when Lua scripting is enabled and replica-read-only is disabled. This exploit can potentially lead to remote code execution on affected replicas. To mitigate the risk, it is recommended to restrict script execution and avoid using replicas without read-only access. This issue has been addressed in the Redis version 8.6.3.

Affected Version(s)

redis < 8.6.3

References

https://github.com/redis/redis/security/advisories/GHSA-8...

x_refsource_CONFIRM

https://github.com/redis/redis/releases/tag/8.6.3

x_refsource_MISC

CVSS V4

Score:

6.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Jan 14, 2026

CVE-2026-23631 Data

JSON