CVE-2026-23631 Overview
CVE-2026-23631 is a use-after-free vulnerability [CWE-416] affecting all versions of Redis with Lua scripting enabled. An authenticated attacker can abuse the master-replica synchronization mechanism to trigger memory corruption on replicas where replica-read-only is disabled or can be disabled. Successful exploitation may lead to remote code execution on the affected replica node. Redis has patched the issue in version 8.6.3. The vulnerability requires authenticated access and high attack complexity, but the impact on integrity and availability is significant.
Critical Impact
Authenticated attackers can achieve remote code execution on Redis replicas through a use-after-free condition triggered via Lua scripting and master-replica synchronization.
Affected Products
- Redis (all versions with Lua scripting prior to 8.6.3)
- Deployments where replica-read-only is disabled
- Deployments where replica-read-only can be disabled at runtime
Discovery Timeline
- 2026-05-05 - CVE-2026-23631 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-23631
Vulnerability Analysis
The vulnerability resides in how Redis handles Lua scripts during master-replica synchronization. When a master node executes a Lua script and propagates state to replicas, an attacker with authenticated access can craft conditions that cause a replica to access memory after it has been freed. This use-after-free condition [CWE-416] allows attackers to manipulate freed memory regions, potentially achieving arbitrary code execution within the Redis server process. Exploitation requires the replica to have replica-read-only disabled or be reachable in a configuration where the attacker can disable it. The network attack vector and authenticated privilege requirement narrow the attack surface, but compromised application credentials or insider access make this exploitable in production environments.
Root Cause
The root cause is improper memory lifetime management in the Lua scripting subsystem during replication. Objects allocated on the master are referenced by the replica synchronization path after their backing memory has been released. The interaction between script execution context and the replication buffer creates a window where freed memory is dereferenced on the replica side.
Attack Vector
An authenticated user with permission to execute Lua scripts on the master sends a script designed to manipulate replication state. The replica processes the propagated commands and accesses freed memory during synchronization. Because the corruption occurs on the replica node, the attacker targets writable replicas where command execution is permitted. The flaw cannot be triggered without valid Redis authentication.
No public proof-of-concept code is available. See the GitHub Security Advisory GHSA-8ghh-qpmp-7826 for vendor technical details.
Detection Methods for CVE-2026-23631
Indicators of Compromise
- Unexpected Redis replica process crashes or segmentation faults during or after Lua script execution
- Anomalous EVAL or EVALSHA command volume from authenticated clients targeting replication-enabled deployments
- Replica nodes resynchronizing repeatedly with the master without configuration changes
- Configuration changes that disable replica-read-only outside of approved change windows
Detection Strategies
- Monitor Redis logs for replica disconnection events, assertion failures, and crash dumps correlated with Lua command execution
- Audit CONFIG SET replica-read-only no commands and alert on any occurrence in production environments
- Track Redis ACL events for users granted Lua scripting permissions and review whether those permissions are necessary
Monitoring Recommendations
- Enable Redis ACL logging and forward events to a centralized logging platform for correlation
- Baseline normal EVAL/EVALSHA patterns per client and alert on deviations
- Monitor process integrity of redis-server instances on replica hosts using endpoint telemetry
How to Mitigate CVE-2026-23631
Immediate Actions Required
- Upgrade Redis to version 8.6.3 or later on all master and replica nodes
- Audit all replicas to confirm replica-read-only is enabled and that ACLs prevent runtime modification
- Restrict Lua scripting permissions through Redis ACLs to only the accounts that require them
- Rotate Redis credentials if shared or long-lived authentication tokens are in use
Patch Information
The vulnerability is patched in Redis version 8.6.3. Refer to the GitHub Security Advisory GHSA-8ghh-qpmp-7826 for vendor guidance and full version applicability.
Workarounds
- Disallow Lua script execution by removing +@scripting permissions from Redis ACL user definitions
- Ensure replicas run with replica-read-only yes and prevent the configuration from being changed at runtime
- Isolate Redis replication traffic on a private network segment with strict authentication and access controls
# Configuration example: enforce read-only replicas and restrict Lua scripting
# /etc/redis/redis.conf
replica-read-only yes
# Redis ACL: deny scripting commands for application users
# redis-cli
ACL SETUSER appuser on >STRONG_PASSWORD ~* -@scripting +@read +@write
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
