CVE-2021-32762 Overview
CVE-2021-32762 is an Integer Overflow vulnerability affecting Redis, an open source, in-memory database that persists on disk. The redis-cli command line tool and redis-sentinel service may be vulnerable to integer overflow when parsing specially crafted large multi-bulk network replies. This vulnerability stems from a flaw in the underlying hiredis library, which fails to perform an overflow check before calling the calloc() heap allocation function.
Critical Impact
An authenticated attacker with network access could exploit this integer overflow to potentially achieve remote code execution or cause denial of service on affected systems that use heap allocators without built-in overflow checks.
Affected Products
- Redis versions prior to 6.2.6
- Redis versions prior to 6.0.16
- Redis versions prior to 5.0.14
- Debian Linux 10.0 and 11.0
- Fedora 33, 34, and 35
- NetApp Management Services for Element Software and NetApp HCI
- Oracle Communications Operations Monitor 4.3, 4.4, and 5.0
Discovery Timeline
- 2021-10-04 - CVE-2021-32762 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-32762
Vulnerability Analysis
This vulnerability exists within the hiredis library used by Redis client tools. When redis-cli or redis-sentinel processes specially crafted multi-bulk network replies containing extremely large element counts, an integer overflow can occur during memory allocation calculations. The root issue is that the code multiplies the number of elements by the size of a pointer (sizeof(redisReply*)) without first checking if this multiplication would exceed the maximum representable value (SIZE_MAX).
When the overflow occurs, the calloc() function receives a significantly smaller size than intended, resulting in a heap buffer that is too small to hold the actual data. This can lead to heap corruption when subsequent data is written beyond the allocated buffer boundaries.
The practical exploitability of this vulnerability is somewhat limited by the fact that most modern heap allocators (including jemalloc, which is the default allocator for redis-sentinel) perform their own overflow checks. However, systems using allocators without such protections remain at risk.
Root Cause
The vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The hiredis library's createReplyObject() function calculates the allocation size by multiplying the number of elements by the pointer size without validating that the result does not overflow. When processing maliciously crafted responses with extremely large element counts, this calculation can wrap around, causing calloc() to allocate a smaller buffer than required.
Attack Vector
An attacker with authenticated network access to a Redis server could craft a malicious server response containing an extremely large multi-bulk reply. When a vulnerable redis-cli or redis-sentinel client parses this response, the integer overflow occurs during memory allocation. The attack requires the attacker to either control a malicious Redis server that the victim connects to, or perform a man-in-the-middle attack to inject malicious responses.
The following patch demonstrates the fix implemented in the hiredis library:
return NULL;
if (elements > 0) {
+ if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */
r->element = hi_calloc(elements,sizeof(redisReply*));
if (r->element == NULL) {
freeReplyObject(r);
Source: GitHub Commit
The patch adds a bounds check that verifies the element count will not cause an overflow when multiplied by the pointer size. If the check fails, the function safely returns NULL rather than proceeding with an undersized allocation.
Detection Methods for CVE-2021-32762
Indicators of Compromise
- Monitor for abnormally large Redis protocol responses, particularly multi-bulk replies with element counts approaching the maximum integer value
- Watch for unexpected crashes or segmentation faults in redis-cli or redis-sentinel processes
- Look for heap corruption indicators or memory-related errors in Redis client logs
Detection Strategies
- Implement network monitoring to detect anomalous Redis protocol traffic with unusually large array sizes
- Deploy endpoint detection solutions to monitor for exploitation attempts against Redis client processes
- Use application-level logging to track Redis client connection failures and parsing errors
- Configure intrusion detection systems to alert on Redis protocol anomalies
Monitoring Recommendations
- Enable detailed logging for redis-cli and redis-sentinel operations to capture potential exploitation attempts
- Monitor system logs for out-of-memory errors or segmentation faults associated with Redis processes
- Track Redis client version deployments across the environment to identify vulnerable instances
- Implement network traffic analysis for Redis connections to detect malformed protocol responses
How to Mitigate CVE-2021-32762
Immediate Actions Required
- Upgrade Redis to version 6.2.6, 6.0.16, or 5.0.14 depending on your current major version
- Audit all systems running redis-cli or redis-sentinel and prioritize patching
- Review network segmentation to limit exposure of Redis clients to untrusted networks
- Verify the heap allocator in use on affected systems to assess actual risk level
Patch Information
Redis has released patched versions that include the fixed hiredis library. The fix adds a bounds check before the calloc() call to prevent integer overflow. Organizations should upgrade to:
- Redis 6.2.6 or later for the 6.2.x branch
- Redis 6.0.16 or later for the 6.0.x branch
- Redis 5.0.14 or later for the 5.0.x branch
Additional vendor patches are available from Debian Security Advisory DSA-5001, Fedora Package Announcements, NetApp Security Advisory, and Oracle Security Alert.
Workarounds
- Systems using jemalloc (the default for redis-sentinel) are not likely vulnerable, but upgrading is still recommended
- Restrict network access to Redis clients to trusted networks only
- Implement TLS encryption and authentication for Redis connections to prevent man-in-the-middle attacks
- Consider using a heap allocator that performs overflow checks if immediate patching is not possible
# Verify current Redis version
redis-cli --version
# Check for vulnerable versions and update via package manager (Debian/Ubuntu)
apt-get update && apt-get install redis-server redis-tools
# Verify heap allocator in use (systems using jemalloc are less vulnerable)
redis-cli INFO | grep mem_allocator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
