Valkey Key-Value Database Crashes from Malicious Network Attack

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.5

Valkey Key-Value Database Crashes from Malicious Network Attack

CVE-2026-21863 GHSA-c677-q3wr-gggq

Summary

Valkey versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12 can be crashed by a malicious network attack. This could cause the database to become unavailable. To fix this, update to the latest version and consider restricting access to the database's network connection.

Original title

Malformed Valkey Cluster bus message can lead to Remote DoS

Original description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

osv CVSS3.1 7.5

Vulnerability type

CWE-125 Out-of-bounds Read

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/21xxx/CVE-2026-21863... Vendor Advisory
https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-21863 Vendor Advisory

Published: 23 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026