At ZeroDay.Cloud 2025, researchers discovered critical Remote Code Execution vulnerabilities in Redis.
Executive Summary
During the ZeroDay.Cloud competition, security researchers discovered and disclosed five critical vulnerabilities in Redis — one of the world's most widely deployed databases — all within two days of competition. All five vulnerabilities are critical Remote Code Execution (RCE) bugs, enabling threat actors to take over Redis servers when authenticated.
Redis released patches for all five vulnerabilities and published an official security advisory. Self-managed Redis deployments should upgrade as soon as possible.
This blog provides an overview of each CVE and links to several full technical writeups. These detailed reports examine the underlying root causes, specific techniques, and exploitation vectors discovered during the event.
CVE Overview
CVE-2026-23479 | Use-After-Free in Unblock Client Flow
CVSS: 7.7 (High) Discovered by: Xint Code
When a blocked client is evicted while re-executing a blocked command, Redis fails to handle the error returned by processCommandAndResetClient. An authenticated attacker can exploit this to trigger a use-after-free condition, potentially leading to RCE.
Read the comprehensive technical analysis for CVE-2026-23479.
CVE-2026-25243 | Invalid Memory Access in RESTORE Command
CVSS: 7.7 (High) Discovered by: Emil Lerner, Joseph Surin
The Redis RESTORE command does not properly validate serialized values. An authenticated attacker can supply a crafted serialized payload to trigger invalid memory access, potentially enabling arbitrary code execution on the Redis server.
Read the comprehensive technical analysis for CVE-2026-25243.
CVE-2026-23631 | Lua Use-After-Free via Master-Replica Synchronization
CVSS: 6.1 (Medium) Discovered by: Yoni Sherez
An authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free in the Lua scripting engine. This affects replicas where replica-read-only is disabled and could lead to RCE. A workaround is to prevent users from executing Lua scripts or avoid using replicas with replica-read-only disabled.
Read the comprehensive technical analysis for CVE-2026-23631.
CVE-2026-25588 | Invalid Memory Access in RESTORE via RedisTimeSeries
CVSS: 7.7 (High) Discovered by: Joseph Surin, John Stephenson, Annie Nie
This vulnerability extends the RESTORE command flaw to deployments using the RedisTimeSeries module. An authenticated attacker can craft a malicious serialized payload to trigger invalid memory access and achieve RCE within the Redis server's execution context.
CVE-2026-25589 | Invalid Memory Access in RESTORE via RedisBloom
CVSS: 7.7 (High) Discovered by: Daniel Firer
Similar in nature to CVE-2026-25588, this flaw affects the RESTORE command when used with the RedisBloom module. A specially crafted serialized payload can trigger out-of-bounds reads and writes, potentially leading to RCE.
Wiz Detection and Mitigation Guidance
Wiz customers can use the pre-built query and advisory in the Wiz Threat Center to assess the risk in their environment.
Wiz identifies both internal and publicly exposed Redis instances in your environment affected by these vulnerabilities, and alerts you to instances that have been misconfigured to allow unauthenticated access or use weak or default passwords.
Patched Versions
Redis patched the bugs on May 5, 2026. The fix was shipped across all five maintained release series.
| Release series | Affected versions | Fixed version |
|---|---|---|
| Redis 7.2.x | 7.2.0 – 7.2.13 | 7.2.14 |
| Redis 7.4.x | 7.4.0 – 7.4.8 | 7.4.9 |
| Redis 8.2.x | 8.2.0 – 8.2.5 | 8.2.6 |
| Redis 8.4.x | 8.4.0 – 8.4.2 | 8.4.3 |
| Redis 8.6.x | 8.6.0 – 8.6.2 | 8.6.3 |
For the full Redis advisory, see here.