Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-25243

CVE-2026-25243: Redis Redis RCE Vulnerability

CVE-2026-25243 is a remote code execution vulnerability in Redis affecting versions up to 8.6.3. The RESTORE command fails to validate serialized payloads, enabling attackers to execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-25243 Overview

CVE-2026-25243 is a heap-based memory corruption vulnerability [CWE-122] in Redis, the in-memory data structure store. The flaw exists in the RESTORE command, which fails to properly validate serialized values before processing them. An authenticated attacker with permission to execute RESTORE can submit a crafted serialized payload that triggers invalid memory access. This memory corruption may lead to remote code execution on the host running redis-server. The issue affects all redis-server versions up to 8.6.3 and is fixed in version 8.6.3.

Critical Impact

Authenticated attackers with RESTORE privileges can corrupt heap memory and potentially achieve remote code execution against the Redis server process.

Affected Products

  • Redis redis-server versions up to 8.6.3
  • Deployments exposing the RESTORE command to non-administrative users
  • Self-hosted and containerized Redis instances built from affected upstream sources

Discovery Timeline

  • 2026-05-05 - CVE CVE-2026-25243 published to NVD
  • 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-25243

Vulnerability Analysis

Redis exposes the RESTORE command to recreate keys from a serialized binary value previously produced by DUMP. The deserializer in versions through 8.6.3 does not fully validate the structure or length fields embedded in the serialized payload. When the parser encounters a malformed payload, it performs invalid memory access on the heap, classified under [CWE-122] as a heap-based buffer overflow. The corruption is reachable across the network from any authenticated session that holds the RESTORE capability.

Because Redis processes commands in its main event loop, memory corruption directly impacts the server process address space. Successful manipulation of heap metadata or adjacent allocations can pivot the corruption into control-flow hijack and remote code execution.

Root Cause

The root cause is improper input validation in the deserialization routine backing the RESTORE command. Length and type fields within the serialized blob are trusted without bounds checks against the surrounding buffer. A crafted blob causes the parser to read or write beyond the intended allocation.

Attack Vector

The attack vector is network-based but requires authenticated access and the privilege to invoke RESTORE. An attacker who compromises any application credential mapped to a Redis user with RESTORE permission can deliver the malicious payload over a normal client connection. No user interaction is required.

No verified public proof-of-concept code is available. The vulnerability mechanism is documented in the Redis Security Advisory GHSA-c8h9-259x-jff4.

Detection Methods for CVE-2026-25243

Indicators of Compromise

  • Unexpected redis-server process crashes or SIGSEGV events recorded in system logs
  • RESTORE commands originating from application accounts that do not normally perform key restoration
  • Anomalously large or malformed serialized payloads passed to RESTORE
  • Child processes spawned by redis-server outside of normal persistence or replication workflows

Detection Strategies

  • Enable Redis command logging or MONITOR in controlled windows to capture RESTORE invocations and the invoking user
  • Correlate Redis ACL events with application identities to flag accounts that gained RESTORE permission outside change control
  • Alert on redis-server crash loops or restarts coinciding with client RESTORE activity

Monitoring Recommendations

  • Forward Redis logs and host telemetry to a centralized analytics platform for correlation across time
  • Monitor outbound network connections from the Redis host that deviate from baseline replication and client traffic
  • Track ACL configuration changes in source control and alert when +restore is granted to a user

How to Mitigate CVE-2026-25243

Immediate Actions Required

  • Upgrade redis-server to version 8.6.3 or later, which contains the validated deserializer
  • Inventory all Redis instances, including container images and managed service versions, to confirm patch status
  • Audit Redis ACL rules and revoke RESTORE from any user that does not require it
  • Rotate Redis credentials if RESTORE-capable accounts may have been exposed

Patch Information

The vendor fix is included in Redis 8.6.3. The advisory at GHSA-c8h9-259x-jff4 confirms the patch addresses the unsafe handling of serialized payloads in the RESTORE command path.

Workarounds

  • Restrict the RESTORE command using Redis ACL rules, for example removing +restore from non-administrative users
  • Bind redis-server to internal interfaces only and require strong authentication on every client
  • Place Redis behind network segmentation and firewall rules that limit which hosts can issue commands
bash
# Configuration example: deny RESTORE for an application user via redis-cli
redis-cli ACL SETUSER appuser on >STRONG_PASSWORD ~* +@all -restore
# Verify the rule
redis-cli ACL GETUSER appuser

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne