CVE-2026-23479: CVE-2026-23479: Use-After-Free Vulnerability in Redis Blocking-Client Command Re-Execution

CVE-2026-23479: Use-After-Free Vulnerability in Redis Blocking-Client Command Re-Execution

Vulnerability ID: CVE-2026-23479
CVSS Score: 8.8
Published: 2026-05-05

CVE-2026-23479 is a critical Use-After-Free (UAF) vulnerability inside the blocking-client code path of the Redis in-memory data structure server. In affected versions from 7.2.0 until 8.6.3, the unblock client flow fails to handle an error return from processCommandAndResetClient when re-executing a previously blocked command. If a blocked client is evicted due to maxmemory limits or client eviction policies during this command processing flow, its client structure is freed. Because the caller ignores the error return and continues processing, it attempts to read and write properties on the freed client structure, leading to a Use-After-Free condition.

TL;DR

A Use-After-Free vulnerability in Redis blocking-client flow allows authenticated attackers to execute arbitrary system commands via memory reclamation and GOT overwrite.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-416
• Attack Vector: Network
• CVSS Score: 8.8 (High)
• EPSS Score: 0.00103
• Exploit Status: poc
• CISA KEV Status: Not Listed

Affected Systems

• Redis (redis-server) 7.2.x
• Redis (redis-server) 7.4.x
• Redis (redis-server) 8.2.x
• Redis (redis-server) 8.4.x
• Redis (redis-server) 8.6.x
• Redis: 7.2.0 - 7.2.13 (Fixed in: 7.2.14)
• Redis: 7.4.0 - 7.4.8 (Fixed in: 7.4.9)
• Redis: 8.2.0 - 8.2.5 (Fixed in: 8.2.6)
• Redis: 8.4.0 - 8.4.2 (Fixed in: 8.4.3)
• Redis: 8.6.0 - 8.6.2 (Fixed in: 8.6.3)

Code Analysis

Commit: c14e992

Fix UAF when unblocking client

@@ -1,15 +1,15 @@\n...\n-        processCommandAndResetClient(c);\n+        if (processCommandAndResetClient(c) == C_ERR) {\n+            return;\n+        }

Exploit Details

• ZeroDay.cloud: Detailed proof-of-concept write-up on the exploitation mechanics

Mitigation Strategies

• Disable or restrict the CONFIG command to block dynamic maxmemory-clients manipulation.
• Restrict Lua scripting access using Redis ACLs to prevent heap address leakage.
• Bind Redis exclusively to localized loopback interfaces or secure private networks.

Remediation Steps:

1. Identify the currently deployed Redis version.
2. Select the appropriate patched release path (e.g., 7.2.14, 7.4.9, 8.2.6, 8.4.3, or 8.6.3).
3. Apply the update in a staging environment to verify functionality.
4. Deploy the patched version to production and restart the redis-server process.

References

• GitHub Security Advisory
• Redis Official Patch Commit
• Redis Version 8.6.3 Release Notes
• Wiz Threat Advisory Database Entry
• CVE.org Authority Record
• ZeroDay.Cloud Deep-Dive Analysis
• Debian CVE Tracker Page
• Xint Code Design Announcement

---

Read the full report for CVE-2026-23479 on our website for more details including interactive diagrams and full exploit analysis.