CVE-2026-25243

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 06, 2026

CWE ID

CWE-122

Source

NVD

Vendor

redis

Product

redis

External References

https://github.com/redis/redis/releases/tag/8.6.3
https://github.com/redis/redis/security/advisories/GHSA-c8h9-259x-jff4

CVE-2026-25243

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment