AZL-78320

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-78320.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-78320

Upstream

CVE-2026-21863

Published

2026-02-23T20:28:53Z

Modified

2026-04-21T04:34:24.575722Z

Summary

CVE-2026-21863 affecting package valkey for versions less than 8.0.7-1

Details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

References

https://nvd.nist.gov/vuln/detail/CVE-2026-21863

Affected packages

Azure Linux:3 / valkey

Package

Name: valkey
Purl: pkg:rpm/azure-linux/valkey

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.7-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-78320.json"