CVE-2026-25243

NameCVE-2026-25243
DescriptionRedis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redis (PTS)bullseye5:6.0.16-1+deb11u2vulnerable
bullseye (security)5:6.0.16-1+deb11u8vulnerable
bookworm, bookworm (security)5:7.0.15-1~deb12u6vulnerable
trixie (security), trixie5:8.0.2-3+deb13u1vulnerable
forky5:8.0.6-1vulnerable
sid5:8.0.6-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redissourceexperimental5:8.6.3-1
redissource(unstable)(unfixed)

Notes

https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4
check redict and valkey
Search for package or bug name: Reporting problems