BIT-valkey-2026-21863

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/valkey/BIT-valkey-2026-21863.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-valkey-2026-21863

Aliases

CVE-2026-21863
GHSA-c677-q3wr-gggq

Published

2026-02-26T08:53:20.799Z

Modified

2026-02-26T09:41:02.236234Z

Summary

Malformed Valkey Cluster bus message can lead to Remote DoS

Details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Database specific

{
    "cpes": [
        "cpe:2.3:a:valkey-io:valkey:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / valkey

Package

Name: valkey
Purl: pkg:bitnami/valkey

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

7.2.12

Introduced

8.0.0

Fixed

8.0.7

Introduced

8.1.0

Fixed

8.1.6

Introduced

9.0.0

Fixed

9.0.2

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/valkey/BIT-valkey-2026-21863.json"