CVE-2024-46981 Overview
CVE-2024-46981 is a critical Use After Free vulnerability affecting Redis, the popular open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. This vulnerability is classified as CWE-416 (Use After Free), which occurs when memory is accessed after it has been freed, potentially allowing attackers to corrupt data, crash the application, or execute arbitrary code.
Critical Impact
This vulnerability enables authenticated attackers to achieve remote code execution on Redis servers by exploiting memory corruption in the Lua script garbage collector, potentially leading to complete server compromise.
Affected Products
- Redis versions prior to 7.4.2
- Redis versions prior to 7.2.7
- Redis versions prior to 6.2.17
- Debian Linux 11.0
Discovery Timeline
- 2025-01-06 - CVE-2024-46981 published to NVD
- 2025-09-05 - Last updated in NVD database
Technical Details for CVE-2024-46981
Vulnerability Analysis
This vulnerability represents a Use After Free condition within Redis's Lua scripting engine, specifically targeting the garbage collector subsystem. Redis supports embedded Lua scripting through the EVAL and EVALSHA commands, allowing users to execute complex operations atomically on the server. The vulnerability exists in how Redis handles memory management during Lua script execution.
When a specially crafted Lua script manipulates the garbage collector in a specific sequence, it can cause Redis to access memory that has already been freed. This creates a window where an attacker can potentially control the contents of the freed memory region, leading to arbitrary code execution with the privileges of the Redis server process.
The attack requires authentication to the Redis server, meaning the attacker needs valid credentials or access to an unprotected Redis instance. Given that Redis is often deployed in internal networks and sometimes left without authentication, the practical exploitation risk is significant for organizations with misconfigured deployments.
Root Cause
The root cause of CVE-2024-46981 is improper memory management in Redis's Lua interpreter integration. The garbage collector, which is responsible for automatically freeing unused memory objects, can be manipulated by carefully crafted Lua scripts to trigger premature deallocation of memory objects that are still referenced. When Redis subsequently accesses these freed memory regions, it operates on potentially attacker-controlled data, creating a Use After Free condition that can be leveraged for code execution.
Attack Vector
The attack vector for CVE-2024-46981 involves network-based exploitation by an authenticated user. The attacker must have the ability to execute Lua scripts on the target Redis server, which requires either valid authentication credentials or access to an unprotected instance. Once authenticated, the attacker sends a malicious Lua script via the EVAL or EVALSHA command that manipulates garbage collection timing to corrupt memory and gain code execution.
The vulnerability is exploited through Redis's standard command interface, making it accessible from any client that can connect to the Redis port (default 6379). No user interaction is required beyond the initial network access and authentication.
Detection Methods for CVE-2024-46981
Indicators of Compromise
- Unusual or complex Lua script executions via EVAL or EVALSHA commands, particularly those involving explicit garbage collection calls
- Unexpected Redis server crashes or restarts that may indicate exploitation attempts
- Redis process spawning child processes or executing unusual system calls
- Network connections from the Redis process to unexpected external destinations
Detection Strategies
- Monitor Redis logs for excessive or unusual EVAL and EVALSHA command usage patterns
- Implement network intrusion detection rules to identify suspicious Redis command sequences targeting garbage collection
- Deploy endpoint detection to monitor Redis process behavior for signs of code execution or memory corruption
- Review Redis ACL configurations to identify users with unnecessary Lua script execution permissions
Monitoring Recommendations
- Enable Redis slow log and monitor for unusual Lua script patterns
- Configure alerting for Redis process crashes or unexpected terminations
- Implement audit logging for all EVAL and EVALSHA commands in production environments
- Monitor system calls from the Redis process using security tools to detect post-exploitation activity
How to Mitigate CVE-2024-46981
Immediate Actions Required
- Upgrade Redis immediately to version 7.4.2, 7.2.7, or 6.2.17 depending on your deployed version branch
- If immediate patching is not possible, restrict Lua script execution using Redis ACL commands
- Audit all Redis instances for proper authentication configuration
- Review network segmentation to ensure Redis servers are not exposed to untrusted networks
Patch Information
Redis has released security patches addressing this vulnerability across all supported version branches. Organizations should upgrade to the following fixed versions:
- Redis 7.4.2 - For users on the 7.4.x branch
- Redis 7.2.7 - For users on the 7.2.x branch
- Redis 6.2.17 - For users on the 6.2.x branch
Debian Linux users should refer to the Debian LTS Announcement for package update instructions.
For detailed vulnerability information, see the GitHub Security Advisory GHSA-39h2-x6c4-6w4c.
Workarounds
- Disable Lua scripting by restricting EVAL and EVALSHA commands using Redis ACL
- Implement network-level access controls to limit connections to trusted clients only
- Enable Redis authentication if not already configured using the requirepass directive
- Consider deploying Redis in protected mode to prevent external access
# Redis ACL configuration to restrict Lua script execution
# Add to redis.conf or use ACL SETUSER command
# Create a restricted user without EVAL/EVALSHA permissions
ACL SETUSER restricted_user on >securepassword ~* +@all -EVAL -EVALSHA
# Or modify existing users to remove script execution
ACL SETUSER default -EVAL -EVALSHA
# Verify ACL configuration
ACL LIST
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
