CVE-2026-25243

UNKNOWN 0.0

redis-server RESTORE invalid memory access may allow remote code execution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

CWE	CWE-122
Vendor	redis
Product	redis
Ecosystems	Database Cache
Industries	Technology
Published	May 5, 2026

Stay Ahead of the Next One

Get instant alerts for redis redis

Be the first to know when new unknown vulnerabilities affecting redis redis are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

redis / redis

< 8.6.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4 github.com: https://github.com/redis/redis/releases/tag/8.6.3