{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21863", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.367Z", "datePublished": "2026-02-23T19:41:28.783Z", "dateUpdated": "2026-02-23T19:41:28.783Z"}, "containers": {"cna": {"title": "Malformed Valkey Cluster bus message can lead to Remote DoS", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"}], "affected": [{"vendor": "valkey-io", "product": "valkey", "versions": [{"version": "< 7.2.12", "status": "affected"}, {"version": ">= 8.0.0, < 8.0.7", "status": "affected"}, {"version": ">= 8.1.0, < 8.1.6", "status": "affected"}, {"version": ">= 9.0.0, < 9.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-23T19:41:28.783Z"}, "descriptions": [{"lang": "en", "value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."}], "source": {"advisory": "GHSA-c677-q3wr-gggq", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."}], "id": "CVE-2026-21863", "lastModified": "2026-02-24T14:13:49.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-23T20:28:53.853", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "valkey: Valkey: Denial of Service via invalid clusterbus packet", "id": "2442026", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442026"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-125", "details": ["A flaw was found in Valkey, a distributed key-value database. A malicious actor with access to the Valkey clusterbus port can exploit an input validation vulnerability by sending a specially crafted invalid clusterbus packet. This lack of validation for clusterbus ping extension packets can lead to an out-of-bounds read. Consequently, this may cause the system to crash, resulting in a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict network access to the Valkey cluster bus port. Configure network access control lists (ACLs) or firewall rules to ensure that only trusted hosts can connect to the cluster bus port. This limits the attack surface by preventing unauthorized actors from sending malicious clusterbus packets."}, "name": "CVE-2026-21863", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "valkey", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "valkey", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-23T19:41:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-21863\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-21863\nhttps://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq"], "statement": "This issue is rated High severity by Red Hat Product Security, because Valkey is commonly deployed as a network-accessible service or embedded within applications that accept remote input over standard network interfaces. In such environments, a remote attacker can trigger the vulnerability by sending specially crafted data to the service. Successful exploitation results in a service crash, leading to a denial-of-service condition. Although no confidentiality or integrity impacts are observed, the ability to repeatedly crash the service over the network justifies a High availability impact rating.\nThis vulnerability affects Valkey deployments where the cluster bus connection is exposed.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.2.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.0.0,8.0.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.1.0,8.1.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.0.0,9.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "valkey", "source": "cna", "vendor": "valkey-io"}, "product": "valkey", "vendor": "valkey-io"}], "created": "2026-02-24T09:55:27.626513+00:00", "updated": "2026-02-24T09:55:27.626613+00:00", "vendors": ["valkey-io", "valkey-io$PRODUCT$valkey"]}