EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Redis Software, Open Source (OSS), and Community Edition (CE) versions, primarily impacting memory management and specific command processing. These flaws allow authenticated users to potentially seize control of the Redis server process, leading to Remote Code Execution (RCE). The business risk and impact include full compromise of the affected system, data exfiltration, or service disruption, posing significant threats to data security and availability. It is crucial that administrators of self-managed Redis versions upgrade to the latest patched releases immediately to mitigate these risks. CVE-2026-25243 with a CVSS score of 7.7 – A vulnerability in the Redis RESTORE command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution. CVE-2026-25588 with a CVSS score of 7.7 – This flaw specifically impacts the RedisTimeSeries module, allowing an authenticated user to exploit a Use-After-Free (UAF) condition, potentially leading to RCE. CVE-2026-25589 with a CVSS score of 7.7 – The RedisBloom module is targeted by this vulnerability, which allows an authenticated user to exploit a UAF condition, potentially leading to RCE. CVE-2026-23479 with a CVSS score of 7.7 – This vulnerability is triggered when a blocked client is evicted while re-executing a command, potentially creating an opening for RCE. CVE-2026-23631 with a CVSS score of 6.1 – An authenticated user can exploit the master-replica synchronization mechanism to trigger a UAF vulnerability in the Lua Scripting module.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Redis Software, Open Source (OSS), and Community Edition (CE) versions, primarily impacting memory management and specific command processing. These flaws allow authenticated users to potentially seize control of the Redis server process, leading to Remote Code Execution (RCE). The business risk and impact include full compromise of the affected system, data exfiltration, or service disruption, posing significant threats to data security and availability. It is crucial that administrators of self-managed Redis versions upgrade to the latest patched releases immediately to mitigate these risks. CVE-2026-25243 with a CVSS score of 7.7 – A vulnerability in the Redis RESTORE command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution. CVE-2026-25588 with a CVSS score of 7.7 – This flaw specifically impacts the RedisTimeSeries module, allowing an authenticated user to exploit a Use-After-Free (UAF) condition, potentially leading to RCE. CVE-2026-25589 with a CVSS score of 7.7 – The RedisBloom module is targeted by this vulnerability, which allows an authenticated user to exploit a UAF condition, potentially leading to RCE. CVE-2026-23479 with a CVSS score of 7.7 – This vulnerability is triggered when a blocked client is evicted while re-executing a command, potentially creating an opening for RCE. CVE-2026-23631 with a CVSS score of 6.1 – An authenticated user can exploit the master-replica synchronization mechanism to trigger a UAF vulnerability in the Lua Scripting module.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Redis to below version: For CVE-2026-23479, CVE-2026-25243 and CVE-2026-23631: Redis to version 6.2.22, 7.2.14, 7.4.9, 8.2.6+ or later For CVE-2026-25588: RedisTimeSeries Module to version 1.12.14, 1.10.24, 1.8.23 or later For CVE-2026-25589: RedisBloom Module to version 2.8.20, 2.6.28, 2.4.23 or later
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/redis-rce-vulnerabilities-memory-corruption-restore-command-patch/