{"api_version":"1","generated_at":"2026-07-16T15:07:04+00:00","cve":"CVE-2026-21863","urls":{"html":"https://cve.report/CVE-2026-21863","api":"https://cve.report/api/cve/CVE-2026-21863.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-21863","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-21863"},"summary":{"title":"Malformed Valkey Cluster bus message can lead to Remote DoS","description":"Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-02-23 20:28:53","updated_at":"2026-07-15 02:18:31"},"problem_types":["CWE-125","CWE-125 CWE-125: Out-of-bounds Read","CWE-125 Out-of-bounds Read"],"metrics":[{"version":"3.1","source":"ADP","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}},{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq","name":"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq","refsource":"security-advisories@github.com","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21863.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21863.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3443","name":"https://access.redhat.com/errata/RHSA-2026:3443","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442026","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2442026","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-21863","name":"https://access.redhat.com/security/cve/CVE-2026-21863","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:3507","name":"https://access.redhat.com/errata/RHSA-2026:3507","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:5445","name":"https://access.redhat.com/errata/RHSA-2026:5445","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:8753","name":"https://access.redhat.com/errata/RHSA-2026:8753","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-21863","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21863","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"valkey-io","product":"valkey","version":"affected < 7.2.12","platforms":[]},{"source":"CNA","vendor":"valkey-io","product":"valkey","version":"affected >= 8.0.0, < 8.0.7","platforms":[]},{"source":"CNA","vendor":"valkey-io","product":"valkey","version":"affected >= 8.1.0, < 8.1.6","platforms":[]},{"source":"CNA","vendor":"valkey-io","product":"valkey","version":"affected >= 9.0.0, < 9.0.2","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"unaffected 0:8.0.7-1.el10_1 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10.0 Extended Update Support","version":"unaffected 0:8.0.7-1.el10_0 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"unaffected 0:8.0.7-1.el9_7 * rpm","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Hardened Images","version":"unaffected 9.0.3-1.2.hum1 * rpm","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-23T21:03:12.281Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-23T19:41:28.783Z","lang":"en","value":"Made public."}],"solutions":[{"source":"ADP","title":"","value":"RHSA-2026:5445: Red Hat Enterprise Linux AppStream EUS (v. 10.0)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:3443: Red Hat Enterprise Linux AppStream (v. 10)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:3507: Red Hat Enterprise Linux AppStream (v. 9)","time":"","lang":"en"},{"source":"ADP","title":"","value":"RHSA-2026:8753: Red Hat Hardened Images","time":"","lang":"en"}],"workarounds":[{"source":"ADP","title":"","value":"To mitigate this issue, restrict network access to the Valkey cluster bus port. Configure network access control lists (ACLs) or firewall rules to ensure that only trusted hosts can connect to the cluster bus port. This limits the attack surface by preventing unauthorized actors from sending malicious clusterbus packets.","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"21863","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"lfprojects","cpe5":"valkey","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-21863","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-25T14:58:12.583553Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-25T14:58:41.277Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:10.1"],"defaultStatus":"affected","packageName":"valkey","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:8.0.7-1.el10_1","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","packageName":"valkey","product":"Red Hat Enterprise Linux 10.0 Extended Update Support","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:8.0.7-1.el10_0","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:enterprise_linux:9"],"defaultStatus":"affected","packageName":"valkey","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"0:8.0.7-1.el9_7","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","packageName":"valkey-main","product":"Red Hat Hardened Images","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"9.0.3-1.2.hum1","versionType":"rpm"}]}],"datePublic":"2026-02-23T19:41:28.783Z","descriptions":[{"lang":"en","value":"A flaw was found in Valkey, a distributed key-value database. A malicious actor with access to the Valkey clusterbus port can exploit an input validation vulnerability by sending a specially crafted invalid clusterbus packet. This lack of validation for clusterbus ping extension packets can lead to an out-of-bounds read. Consequently, this may cause the system to crash, resulting in a Denial of Service (DoS)."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-125","description":"Out-of-bounds Read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-15T01:19:48.777Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-21863"},{"name":"RHBZ#2442026","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442026"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-21863.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:5445"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3443"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:3507"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8753"}],"solutions":[{"lang":"en","value":"RHSA-2026:5445: Red Hat Enterprise Linux AppStream EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:3443: Red Hat Enterprise Linux AppStream (v. 10)"},{"lang":"en","value":"RHSA-2026:3507: Red Hat Enterprise Linux AppStream (v. 9)"},{"lang":"en","value":"RHSA-2026:8753: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-02-23T21:03:12.281Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-23T19:41:28.783Z","value":"Made public."}],"title":"valkey: Valkey: Denial of Service via invalid clusterbus packet","workarounds":[{"lang":"en","value":"To mitigate this issue, restrict network access to the Valkey cluster bus port. Configure network access control lists (ACLs) or firewall rules to ensure that only trusted hosts can connect to the cluster bus port. This limits the attack surface by preventing unauthorized actors from sending malicious clusterbus packets."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"product":"valkey","vendor":"valkey-io","versions":[{"status":"affected","version":"< 7.2.12"},{"status":"affected","version":">= 8.0.0, < 8.0.7"},{"status":"affected","version":">= 8.1.0, < 8.1.6"},{"status":"affected","version":">= 9.0.0, < 9.0.2"}]}],"descriptions":[{"lang":"en","value":"Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-125","description":"CWE-125: Out-of-bounds Read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-23T19:41:28.783Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq","tags":["x_refsource_CONFIRM"],"url":"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"}],"source":{"advisory":"GHSA-c677-q3wr-gggq","discovery":"UNKNOWN"},"title":"Malformed Valkey Cluster bus message can lead to Remote DoS"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-21863","datePublished":"2026-02-23T19:41:28.783Z","dateReserved":"2026-01-05T16:44:16.367Z","dateUpdated":"2026-07-15T01:19:48.777Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-23 20:28:53","lastModifiedDate":"2026-07-15 02:18:31","problem_types":["CWE-125","CWE-125 CWE-125: Out-of-bounds Read","CWE-125 Out-of-bounds Read"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-25T14:58:12.583553Z","id":"CVE-2026-21863","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionEndExcluding":"7.2.12","matchCriteriaId":"0A7DFDB2-5FDE-4F69-9B9E-7ED6D910EF76"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.7","matchCriteriaId":"2375C3CF-6580-4EA0-AA6A-A92198CB7E1F"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"8.1.0","versionEndExcluding":"8.1.6","matchCriteriaId":"03050B63-5660-4DFF-B6AC-3E701B9D199D"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.2","matchCriteriaId":"315880B4-E0D2-4366-8E7B-2B97D82BA92E"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"21863","Ordinal":"1","Title":"Malformed Valkey Cluster bus message can lead to Remote DoS","CVE":"CVE-2026-21863","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"21863","Ordinal":"1","NoteData":"Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.","Type":"Description","Title":"Malformed Valkey Cluster bus message can lead to Remote DoS"}]}}}