ALPINE-CVE-2026-27623

See a problem?
Please try reporting it to the source first.
Source
https://security.alpinelinux.org/vuln/CVE-2026-27623
Import Source
https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-27623.json
JSON Data
https://api.osv.dev/v1/vulns/ALPINE-CVE-2026-27623
Upstream
Published
2026-02-23T20:28:55.217Z
Modified
2026-03-31T20:30:37.625545Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.

References

Affected packages

Alpine:v3.23 / valkey

Package

Name
valkey
Purl
pkg:apk/alpine/valkey?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.3-r0

Affected versions

7.*
7.2.5-r0
7.2.5-r1
7.2.5-r2
7.2.7-r0
7.2.8-r0
7.2.9-r0
8.*
8.1.1-r0
8.1.1-r1
8.1.1-r2
8.1.4-r0
9.*
9.0.0-r0
9.0.0-r1
9.0.0-r2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/alpine/ALPINE-CVE-2026-27623.json"