Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Valkey: Malicious packet can crash database, expose internal network
CVE-2026-21863
Summary
A flaw in Valkey's cluster communication allows a malicious actor to crash the database by sending a malformed packet. This could happen if the clusterbus port is exposed to the internet or an untrusted network. To protect against this, update to version 9.0.2 or later, and restrict access to the clusterbus port with network access controls.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lfprojects | valkey | <= 7.2.12 | – |
| lfprojects | valkey | > 8.0.0 , <= 8.0.7 | – |
| lfprojects | valkey | > 8.1.0 , <= 8.1.6 | – |
| lfprojects | valkey | > 9.0.0 , <= 9.0.2 | – |
Original title
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause ...
Original description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
nvd CVSS3.1
7.5
Vulnerability type
CWE-125
Out-of-bounds Read
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026