Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: redis (1 article)Clear

Autonomous AI tool finds 2-year-old Redis use-after-free RCE CVE-2026-23479 - most cloud Redis runs passwordless, exploit public

Team Xint Code has disclosed CVE-2026-23479, a use-after-free remote code execution flaw in Redis that sat unnoticed in every stable branch from 7.2.0 until the May 5 fixes - over two years. The bug lives in unblockClientOnKey(), which keeps using a client pointer after processCommandAndResetClient() can free it. Exploitation needs an authenticated session, but Wiz's analysis finds Redis in most cloud environments with the majority running passwordless, where the default user already holds every privilege the exploit chain requires. The published exploit leaks a heap pointer via Lua, reclaims a freed client with a fake structure, and overwrites a GOT entry to repoint strcasecmp() at system(). NVD rates it 8.8.

Check
Inventory Redis instances and confirm version is past the May 5 fix. Identify passwordless or internet-reachable deployments. Audit for unexpected Lua EVAL activity and child processes spawned by redis-server.
Affected
Redis 7.2.0 through the May 5 fixes (over two years of stable branches). Exploitation needs an authenticated session, but most cloud Redis runs passwordless with the all-privileged default user.
Fix
Upgrade Redis to the patched release. Require authentication and strong ACLs, bind to localhost or private networks, never expose Redis to the internet. Enable full RELRO when building images.