DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24814: Return of the Living Dead: Swoole's SDS Integer Overflow

#security #cve #cybersecurity

Return of the Living Dead: Swoole's SDS Integer Overflow

Vulnerability ID: CVE-2026-24814
CVSS Score: 10.0
Published: 2026-01-27

It turns out that code reuse is great until you reuse vulnerable code and forget to patch it for five years. CVE-2026-24814 is a critical integer overflow in the Swoole PHP framework, specifically within its bundled version of the 'hiredis' library. This vulnerability is effectively a reincarnation of the infamous Redis CVE-2021-41099. By sending a massive payload, an attacker can trigger an integer wrap-around during buffer reallocation, leading to a heap-based buffer overflow. Since Swoole is designed for persistent, high-performance applications, this bug offers a pristine pathway to Remote Code Execution (RCE) with a CVSS score of 10.0.

TL;DR

Swoole versions < 6.0.2 contain a critical integer overflow in the SDS string library (bundled from hiredis). This flaw allows unauthenticated remote attackers to trigger a heap buffer overflow and execute arbitrary code by sending crafted, large payloads.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-190 (Integer Overflow)
  • CVSS Score: 10.0 (Critical)
  • Attack Vector: Network (Remote)
  • Impact: Remote Code Execution (RCE)
  • Affected Component: thirdparty/hiredis/sds.c
  • Patch Version: 6.0.2

Affected Systems

  • Swoole (swoole-src) < 6.0.2
  • Applications using Swoole Redis client
  • Applications using Swoole functions relying on SDS
  • swoole-src: < 6.0.2 (Fixed in: 6.0.2)

Exploit Details

  • N/A: Exploitation logic is identical to Redis CVE-2021-41099. See Redis advisories for PoC concepts.

Mitigation Strategies

  • Update Swoole immediately to version 6.0.2.
  • Audit all bundled third-party libraries in your own projects.
  • Implement strict request body size limits at the reverse proxy (Nginx/Apache) level.

Remediation Steps:

  1. Check current version: php --ri swoole
  2. If version < 6.0.2, pull the latest release.
  3. Recompile Swoole: pecl upgrade swoole or build from source.
  4. Restart the PHP/Swoole service.

References

Read the full report for CVE-2026-24814 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)