Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Valkey: Malicious Lua scripts can crash or alter data
ALSA-2026:3443
Summary
Valkey's scripting feature allows malicious scripts to crash the system or tamper with data. This can happen if an attacker sends specially crafted scripts to the system. To stay safe, update Valkey to the latest version as soon as possible.
What to do
- Update almalinux valkey to version 8.0.7-1.el10_1.
- Update almalinux valkey-devel to version 8.0.7-1.el10_1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| almalinux | valkey | <= 8.0.7-1.el10_1 | 8.0.7-1.el10_1 |
| almalinux | valkey-devel | <= 8.0.7-1.el10_1 | 8.0.7-1.el10_1 |
Original title
Important: valkey security update
Original description
Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also.
Security Fix(es):
* Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733)
* valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733)
* valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- https://access.redhat.com/errata/RHSA-2026:3443 Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2025-67733 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-21863 Third Party Advisory
- https://bugzilla.redhat.com/2442025 Third Party Advisory
- https://bugzilla.redhat.com/2442026 Third Party Advisory
- https://errata.almalinux.org/10/ALSA-2026-3443.html Vendor Advisory
Published: 26 Feb 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026