CVE-2026-23479
redis-server use-after-free in unblock client flow may allow remote code execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.
| CWE | CWE-416 |
| Vendor | redis |
| Product | redis |
| Ecosystems | |
| Industries | Technology |
| Published | May 5, 2026 |
| Last Updated | May 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for redis redis
Be the first to know when new unknown vulnerabilities affecting redis redis are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
redis / redis
>= 7.2.0, < 8.6.3