CVE-2026-23479 Overview
CVE-2026-23479 is a use-after-free vulnerability [CWE-416] in Redis, the in-memory data structure store. The flaw exists in the unblock client flow within redis-server versions 7.2.0 through 8.6.2. The unblock logic fails to handle an error return from processCommandAndResetClient when re-executing a blocked command. When a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free condition that may lead to remote code execution. Redis maintainers patched the issue in version 8.6.3.
Critical Impact
An authenticated attacker on a network-reachable Redis instance can trigger memory corruption that may result in remote code execution on the Redis server process.
Affected Products
- Redis redis-server 7.2.0 through 8.6.2
- Deployments using blocking commands with client eviction enabled
- Self-hosted Redis distributions built from affected upstream sources
Discovery Timeline
- 2026-05-05 - CVE-2026-23479 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-23479
Vulnerability Analysis
Redis supports blocking commands such as BLPOP, BRPOP, and XREAD BLOCK that suspend client execution until data becomes available or a timeout elapses. When the server unblocks a client, it re-executes the original command through the unblock flow. This flow invokes processCommandAndResetClient to dispatch the queued command and reset client state.
The vulnerability stems from an unchecked error return from processCommandAndResetClient. If client eviction occurs during re-execution, the client structure is freed while the unblock flow continues to reference it. Subsequent operations on the freed client object produce a use-after-free condition. An authenticated attacker can shape heap layout to influence the freed allocation and potentially achieve arbitrary code execution within the Redis server process.
Root Cause
The root cause is missing error handling for the return value of processCommandAndResetClient inside the unblock client code path. When client memory eviction frees the client during command re-execution, the caller does not detect the freed state and continues to dereference the stale pointer. This violates pointer lifetime guarantees and produces the use-after-free described in [CWE-416].
Attack Vector
Exploitation requires an authenticated session against the Redis server and the ability to issue blocking commands. The attacker triggers a blocking operation, then induces conditions that cause the server to evict the blocked client during unblock processing. Network exposure of Redis with valid credentials is sufficient. The attack complexity is high because the attacker must win a timing race and shape memory state to convert the use-after-free into reliable code execution.
Verified exploitation code is not publicly available. See the GitHub Security Advisory GHSA-93m2-935m-8rj3 for additional technical context from the Redis maintainers.
Detection Methods for CVE-2026-23479
Indicators of Compromise
- Unexpected redis-server process crashes or restarts with SIGSEGV or SIGABRT signals
- Redis log entries referencing assertion failures or invalid memory access during client unblock
- Anomalous spawning of child processes from the redis-server parent process
- Outbound network connections initiated by the Redis process to unknown destinations
Detection Strategies
- Inventory all Redis instances and identify versions between 7.2.0 and 8.6.2 across managed and unmanaged hosts
- Monitor authenticated Redis sessions issuing high volumes of blocking commands such as BLPOP, BRPOP, BLMOVE, and XREAD BLOCK
- Correlate Redis crash events with concurrent client eviction activity recorded in INFO clients output
- Review authentication logs for unexpected client connections preceding server instability
Monitoring Recommendations
- Enable verbose Redis logging and forward logs to a centralized analytics platform for correlation
- Track maxmemory policy events and client eviction counters exposed by INFO memory and INFO stats
- Alert on redis-server process restarts that occur outside scheduled maintenance windows
- Baseline normal blocking-command frequency per client and flag statistical outliers
How to Mitigate CVE-2026-23479
Immediate Actions Required
- Upgrade all redis-server instances to version 8.6.3 or later as the primary remediation
- Restrict network access to Redis ports using firewall rules and bind only to trusted interfaces
- Enforce strong authentication with requirepass or Access Control List (ACL) users and rotate credentials
- Audit ACL configurations and remove blocking command privileges from accounts that do not require them
Patch Information
Redis released the fix in version 8.6.3. The patch adds proper handling of the error return from processCommandAndResetClient in the unblock client flow, preventing further use of the client structure after eviction. Download the fixed release from the GitHub Redis Release 8.6.3 page and review the GitHub Security Advisory GHSA-93m2-935m-8rj3 for full details.
Workarounds
- Disable client eviction by setting maxmemory-clients to 0 until the patch can be applied
- Use Redis ACLs to deny blocking commands (-@blocking) for any user that does not require them
- Place Redis behind a network segmentation boundary that limits access to trusted application hosts only
- Enable TLS and require client certificate authentication to reduce the population of potential attackers
# Example ACL configuration removing blocking command access from an application user
redis-cli ACL SETUSER appuser on >StrongPasswordHere ~* +@all -@blocking -@dangerous
# Disable client eviction as a temporary mitigation
redis-cli CONFIG SET maxmemory-clients 0
# Verify running version after upgrade
redis-cli INFO server | grep redis_version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
