Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Valkey Bloom Filter module causes server to shut down
CVE-2026-21864
Summary
A flaw in the Valkey Bloom Filter module can cause a Valkey server to shut down if it receives a specially crafted command. This happens when the module doesn't handle errors properly. To fix this, you can either update to the latest version or disable the unused RESTORE command if you're not using it in your application.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| lfprojects | valkey-bloom | <= 1.0.1 | – |
Original title
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a...
Original description
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
nvd CVSS3.1
7.5
Vulnerability type
CWE-20
Improper Input Validation
Published: 24 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026