Malformed Valkey Cluster bus message can lead to Remote DoS
Summary
| CVE | CVE-2026-21863 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-02-23 20:28:53 UTC |
| Updated | 2026-07-15 02:18:31 UTC |
| Description | Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-125 | CWE-125 CWE-125: Out-of-bounds Read | CWE-125 Out-of-bounds Read
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Lfprojects | Valkey | All | All | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Valkey-io | Valkey | affected < 7.2.12 | Not specified |
| CNA | Valkey-io | Valkey | affected >= 8.0.0, < 8.0.7 | Not specified |
| CNA | Valkey-io | Valkey | affected >= 8.1.0, < 8.1.6 | Not specified |
| CNA | Valkey-io | Valkey | affected >= 9.0.0, < 9.0.2 | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10 | unaffected 0:8.0.7-1.el10_1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 10.0 Extended Update Support | unaffected 0:8.0.7-1.el10_0 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 9 | unaffected 0:8.0.7-1.el9_7 * rpm | Not specified |
| ADP | Red Hat | Red Hat Hardened Images | unaffected 9.0.3-1.2.hum1 * rpm | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq | [email protected] | github.com | Vendor Advisory |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21863.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3443 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-21863 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:3507 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:5445 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8753 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-02-23T21:03:12.281Z | Reported to Red Hat. |
| ADP | 2026-02-23T19:41:28.783Z | Made public. |
Solutions
ADP: RHSA-2026:5445: Red Hat Enterprise Linux AppStream EUS (v. 10.0)
ADP: RHSA-2026:3443: Red Hat Enterprise Linux AppStream (v. 10)
ADP: RHSA-2026:3507: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:8753: Red Hat Hardened Images
Workarounds
ADP: To mitigate this issue, restrict network access to the Valkey cluster bus port. Configure network access control lists (ACLs) or firewall rules to ensure that only trusted hosts can connect to the cluster bus port. This limits the attack surface by preventing unauthorized actors from sending malicious clusterbus packets.