SecuriTricks - CVE-2026-21863

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

Product(s) Impacted

Vendor	Product	Versions
Valkey	Valkey	<7.2.12, 8.0.7, 8.1.6, 9.0.2

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-125

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	valkey	valkey	<7.2.12	/	/	/	/	/	/	/
a	valkey	valkey	8.0.7	/	/	/	/	/	/	/
a	valkey	valkey	8.1.6	/	/	/	/	/	/	/
a	valkey	valkey	9.0.2	/	/	/	/	/	/	/

References

https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq

CVSS Score

7.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View Vector String

Timeline

Published: Feb. 23, 2026, 8:28 p.m.
Last Modified: Feb. 24, 2026, 2:13 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

CVE-2026-21863