CVE-2026-21863

{"id": "CVE-2026-21863", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-23T20:28:53.853", "references": [{"url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."}, {"lang": "es", "value": "Valkey es una base de datos distribuida de clave-valor. Antes de las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12, un actor malicioso con acceso al puerto clusterbus de Valkey puede enviar un paquete inv\u00e1lido que puede causar una lectura fuera de l\u00edmites, lo que podr\u00eda resultar en la ca\u00edda del sistema. El c\u00f3digo de procesamiento de paquetes clusterbus de Valkey no valida que un paquete de extensi\u00f3n ping de clusterbus est\u00e9 ubicado dentro del b\u00fafer del paquete clusterbus antes de intentar leerlo. Las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12 solucionan el problema. Como una mitigaci\u00f3n adicional, no exponga la conexi\u00f3n del bus de cl\u00faster directamente a los usuarios finales y proteja la conexi\u00f3n con sus propias ACL de red."}], "lastModified": "2026-02-25T17:49:51.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0A7DFDB2-5FDE-4F69-9B9E-7ED6D910EF76", "versionEndExcluding": "7.2.12"}, {"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2375C3CF-6580-4EA0-AA6A-A92198CB7E1F", "versionEndExcluding": "8.0.7", "versionStartIncluding": "8.0.0"}, {"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "03050B63-5660-4DFF-B6AC-3E701B9D199D", "versionEndExcluding": "8.1.6", "versionStartIncluding": "8.1.0"}, {"criteria": "cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "315880B4-E0D2-4366-8E7B-2B97D82BA92E", "versionEndExcluding": "9.0.2", "versionStartIncluding": "9.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}