Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Valkey: Data Tampering and Denial of Service Risks with Lua Scripts
ALSA-2026:3507
Summary
Valkey's Lua scripting feature can be exploited to tamper with data and cause the system to crash. This is due to how Valkey handles special characters in scripts. To fix this, update to the latest version of Valkey. You should also be cautious when allowing user-generated Lua scripts, especially if they can be executed by other users or systems.
What to do
- Update almalinux valkey to version 8.0.7-1.el9_7.
- Update almalinux valkey-devel to version 8.0.7-1.el9_7.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| almalinux | valkey | <= 8.0.7-1.el9_7 | 8.0.7-1.el9_7 |
| almalinux | valkey-devel | <= 8.0.7-1.el9_7 | 8.0.7-1.el9_7 |
Original title
Important: valkey security update
Original description
Valkey is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing set intersection, union and difference; or getting the member with highest ranking in a sorted set. In order to achieve its outstanding performance, Valkey works with an in-memory dataset. Depending on your use case, you can persist it either by dumping the dataset to disk every once in a while, or by appending each command to a log. Valkey also supports trivial-to-setup master-slave replication, with very fast non-blocking first synchronization, auto-reconnection on net split and so forth. Other features include Transactions, Pub/Sub, Lua scripting, Keys with a limited time-to-live, and configuration settings to make Valkey behave like a cache. You can use Valkey from most programming languages also.
Security Fix(es):
* Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733)
* valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Security Fix(es):
* Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts (CVE-2025-67733)
* valkey: Valkey: Denial of Service via invalid clusterbus packet (CVE-2026-21863)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- https://access.redhat.com/errata/RHSA-2026:3507 Vendor Advisory
- https://access.redhat.com/security/cve/CVE-2025-67733 Third Party Advisory
- https://access.redhat.com/security/cve/CVE-2026-21863 Third Party Advisory
- https://bugzilla.redhat.com/2442025 Third Party Advisory
- https://bugzilla.redhat.com/2442026 Third Party Advisory
- https://errata.almalinux.org/9/ALSA-2026-3507.html Vendor Advisory
Published: 2 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026