CVE-2026-21863

CVE-2026-21863

Name

CVE-2026-21863

Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq

Type

URI

security-advisories@github.com

https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:lfprojects:valkey::::::::`	valkey	>= None	< 7.2.12
`cpe:2.3:a:lfprojects:valkey::::::::`	valkey	>= 8.0.0	< 8.0.7
`cpe:2.3:a:lfprojects:valkey::::::::`	valkey	>= 8.1.0	< 8.1.6
`cpe:2.3:a:lfprojects:valkey::::::::`	valkey	>= 9.0.0	< 9.0.2

CPE URI

Source package

Min version

Max version

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*

valkey

>= None

< 7.2.12

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*

valkey

>= 8.0.0

< 8.0.7

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*

valkey

>= 8.1.0

< 8.1.6

cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*

valkey

>= 9.0.0

< 9.0.2

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
valkey	edge-main	9.0.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	9.0.0-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	8.1.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	8.1.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	8.1.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	8.1.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	7.2.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	7.2.8-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	edge-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.23-main	9.0.0-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.22-main	8.1.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.22-main	8.1.1-r2	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.22-main	8.1.1-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.22-main	7.2.9-r0	None	possibly vulnerable
valkey	3.22-main	7.2.8-r0	None	possibly vulnerable
valkey	3.22-main	7.2.7-r0	None	possibly vulnerable
valkey	3.21-main	7.2.11-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.21-main	7.2.9-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.21-main	7.2.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.21-main	7.2.8-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.21-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.20-main	7.2.11-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.20-main	7.2.9-r1	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.20-main	7.2.9-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.20-main	7.2.8-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
valkey	3.20-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages