惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Google DeepMind News
Google DeepMind News
Martin Fowler
Martin Fowler
T
Threatpost
云风的 BLOG
云风的 BLOG
博客园 - 司徒正美
C
CERT Recently Published Vulnerability Notes
V
Vulnerabilities – Threatpost
Help Net Security
Help Net Security
Project Zero
Project Zero
博客园 - 聂微东
博客园_首页
T
Tor Project blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
V
Visual Studio Blog
人人都是产品经理
人人都是产品经理
The Register - Security
The Register - Security
Latest news
Latest news
K
Kaspersky official blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
美团技术团队
C
Cyber Attacks, Cyber Crime and Cyber Security
A
Arctic Wolf
aimingoo的专栏
aimingoo的专栏
J
Java Code Geeks
F
Full Disclosure
Recent Announcements
Recent Announcements
SecWiki News
SecWiki News
C
Cybersecurity and Infrastructure Security Agency CISA
F
Fortinet All Blogs
The Hacker News
The Hacker News
Apple Machine Learning Research
Apple Machine Learning Research
NISL@THU
NISL@THU
The GitHub Blog
The GitHub Blog
量子位
Hugging Face - Blog
Hugging Face - Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
P
Palo Alto Networks Blog
T
Troy Hunt's Blog
O
OpenAI News
T
Threat Research - Cisco Blogs
博客园 - Franky
Hacker News - Newest:
Hacker News - Newest: "LLM"
A
About on SuperTechFans
C
Check Point Blog
Hacker News: Ask HN
Hacker News: Ask HN
AWS News Blog
AWS News Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
T
Tenable Blog

Redis

Real-Time Fraud Detection: Latency, Features & Scale Context window in AI: why every token is a budget decision Connecting to Redis Cloud with AWS PrivateLink vs. VPC peering | Redis Redis Data Integration in Redis Cloud is now GA in AWS | Redis Why AI Misses Business Context & How Teams Fix It AI Reasoning Explained: Why Context Matters Semantic Layer vs Context Layer: Key Differences Redis array data type: How it works and when to use it Context Graphs vs. Vector Search: When RAG Falls Short What’s new in two – May 2026 edition Redis 8.8 performance improvements: Faster string, hash, streams, SCAN & more Redis 8.8: New array data structure & open source features How Conflict-free Replicated Data Types power active-active database replication Context Orchestration: What It Is & How It Works Context Compaction for AI Agents: A Complete Guide Prompt Bloat: Causes, Costs & Fixes for LLM Apps Agentic Retrieval Techniques: A Complete Guide Single-shot reliable consumers with XREADGROUP CLAIM in Redis 8.4 | Redis Long-Horizon AI Agents: Memory & State Infrastructure What is a context engine? What Is a Context Layer? AI Agent Infrastructure Context Retrieval for AI Agents: What It Is & Why It Matters Context Poisoning: How Bad Data Breaks Agent Reasoning Context is all you need: Introducing Redis Iris | Redis Context Engineering for AI: What It Is & How to Build It Dynamic endpoints: Migrate databases without changing your endpoint | Redis AI Shopping Assistants: How They Work & What to Build Endless Aisle Retail: Infrastructure & Real-Time Data LLM Speed Benchmarks: Metrics & Infrastructure Guide Context Pruning: Cut LLM Tokens Without Losing Quality What’s new in two – April 2026 edition Agentic AI Architecture: 5 Patterns Explained AI Agent vs Chatbot: Key Differences Explained Advantages of Building a Vector Search Solution API Latency in LLM Apps: Causes & How to Fix It Edge Computing Latency: Causes & How to Reduce It AI Agents vs Workflows: When to Use Each Streaming LLM Responses: Make Your AI App Feel Fast Active-Active vs Active-Passive Database Architecture Prefill vs Decode: LLM Inference Phases Explained Long-Term Memory Architectures for AI Agents Time to First Byte Test: Tools, Causes & Fixes Speculative decoding: how it works & when to use it P95 Latency: What It Is & Why It Matters Why Multi-Agent LLM Systems Fail & How to Fix Them AI Human in the Loop: Production Oversight Patterns Native OpenTelemetry metrics for Redis client libraries | Redis Client-side geographic failover for Redis Active-Active | Redis Use Redis with SQL | Redis Introducing Redis Feature Form Build Google ADK Agents with persistent, real-time memory on Redis | Redis Startup Spotlight: Neuron Systems API Throttling: Algorithms, Patterns & Mistakes Agentic AI Examples Across 6 Industries Best Chunking Strategies for RAG Pipelines Agentic AI Guardrails: Controls That Work Redis joins AWS at GDC to support the next generation of gaming | Redis Designing a semantic routing system: From static rules to dynamic intelligence with Redis and Java | Redis Real-Time Dispatch System: A Complete Guide P99 Latency: What It Means & How to Fix It Tokenization in LLMs: What AI App Devs Need to Know TTFT Meaning: What is Time to First Token? Atomic slot migration with Redis 8.4 Hybrid search benefits: Why your RAG system needs both keyword & vector search What’s new in two: March 2026 edition Vector embedding generators: How they work & how to use them Throughput-optimizing Redis for L2 KV Cache Reuse What is a data pipeline? Building AI agent pipelines that don't forget, fail, or fall apart Redis achieves Google Cloud Ready, Distributed Cloud status ahead of Google Cloud Next ‘26 | Redis Real-time network monitoring: what your data platform needs to keep up AI agent API: How agents connect to the real world What is multicloud infrastructure? A guide for 2026 What is a transaction monitoring system & how does it work? Why your AI agent fails in production & how tracing helps AI agent benchmarks: Where they fall short & why your infrastructure matters What is a JSON database (and when should you use one)? Introducing the Redis Partner Network: A new foundation for real-time innovation How real-time customer segmentation works in retail Payment orchestration & vault architecture in retail Agentic systems vs. GenAI: when generation isn't enough What is fuzzy matching? Semantic caching & routing: two powerful patterns for vector classification Redis alternatives: Why there are no exact substitutes Connect to Azure Managed Redis with Redis Insight 3.2.0 How to tame the thundering herd problem Redis to Manage Storage Replication | Redis How hierarchical navigable small world (HNSW) algorithms can improve search | Redis How leading financial institutions use Redis to drive growth | Redis What’s new in two: May 2025 | Redis Introducing Model Context Protocol (MCP) for Redis | Redis Redis vs. Elasticsearch: What’s faster for GenAI & vector search? | Redis Build fast, production-worthy AI apps with Spring AI and Redis | Redis Azure Managed Redis is GA today | Redis Redis then & now: Adapting with developers through every era | Redis Supercharge Your AI with OpenShift AI and Redis: Unleash speed and scalability | Redis What’s new in two: April 2025 | Redis Redis 8 is now GA, loaded with new features and more than 30 performance improvements | Redis What is a data strategy? 6 key components explained Data replication explained: types, examples & use cases
Security advisory: [CVE‑2026‑23479] [CVE‑2026‑25243] [CVE-2026-25588] [CVE‑2026‑25589] [CVE-2026-23631] | Redis
Redis · 2026-05-05 · via Redis

What happened?

As part of an ongoing effort by the Redis community and Redis to maintain safety, security, and compliance posture, five security vulnerabilities in Redis have been proactively identified and [remediated in the versions indicated below].

What are the vulnerabilities?

  1. CVE‑2026‑23479 – Use-After-Free in unblock client flow may lead to Remote Code Execution.
    CVSS Score: 7.7 (High)
    When a blocked client is evicted while re-executing a blocked command, an authenticated user may trigger a use-after-free and potentially lead to remote code execution. The code doesn't handle the case where processing the command (processCommandAndResetClient) returns an error value.
  2. CVE‑2026‑25243 – Invalid Memory Access in Redis RESTORE Command May Lead to Remote Code Execution.
    CVSS Score: 7.7 (High)
    A vulnerability in the Redis RESTORE command allows an authenticated user to trigger an invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
    Successful exploitation could allow an attacker with authenticated access to execute arbitrary code in the context of the Redis server, potentially leading to full compromise of the affected system, data exfiltration, or service disruption.
  3. CVE-2026-25588 - Invalid Memory Access in RESTORE Command When Used with RedisTimeSeries module May Lead to Remote Code Execution.
    CVSS Score: 7.7 (High)
    A vulnerability in the RESTORE command, when used with the RedisTimeSeries module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
    Successful exploitation could allow an attacker with authenticated access to execute arbitrary code in the context of the Redis server, when used with the RedisTimeSeries module, potentially leading to full compromise of the affected system, data exfiltration, or service disruption.
  4. CVE‑2026‑25589 – Invalid Memory Access in RESTORE Command When Used with RedisBloom module May Lead to Remote Code Execution.
    CVSS Score: 7.7 (High)
    A vulnerability in the RESTORE command, when used with the RedisBloom module, allows an authenticated attacker to trigger invalid memory access via a specially crafted serialized payload, potentially resulting in remote code execution.
    Successful exploitation could allow an attacker with authenticated access to execute arbitrary code in the context of the Redis server, when used with the RedisBloom module, potentially leading to full compromise of the affected system, data exfiltration, or service disruption.
  5. [CVE-2026-23631] - Lua Use-After-Free may lead to remote code execution.
    CVSS Score: 6.1 (Medium)
    An authenticated user may exploit the synchronization mechanism of the master-replica and trigger a use-after-free vulnerability, potentially leading to remote code execution. The bug affects only replicas that are configured, or may be configured with replica-read-only disabled, and exists in all versions of Redis with Lua scripting.

How can you protect your Redis instance?

If you’re a Redis Cloud customer, your Redis instance is protected against these vulnerabilities, as we’ve already upgraded our Redis Cloud service with the fixes. If you’re self-managing Redis Software, Open Source (OSS), or Community (CE) versions, there are several steps you should take to protect your Redis from exploitation.Exposure to these vulnerabilities requires an attacker to gain authenticated access to your Redis instance, making this a post-authentication issue that can lead to remote code execution (RCE).

To remediate against these vulnerabilities, upgrade your Redis to the latest versions, see our table below for full details. To minimize the risk of exploitation, it’s important to follow these best practices:

  • Restrict Network Access: Ensure that only authorized users and systems have access to the Redis database. Use firewalls and network policies to limit access to trusted sources and prevent unauthorized connectivity.
  • Enforce Strong Authentication: Enforce the use of credentials for all access to Redis instances. Avoid configurations that allow unauthenticated access, and ensure protected-mode is enabled (in CE and OSS) to prevent accidental exposure.
  • Limit Permissions: Ensure that user identities with access to Redis are granted the minimum permissions necessary. Only allow trusted identities to run potentially risky commands.
  • Update Regularly: Keep Redis updated to the latest version for the newest security patches.

For more details on how to securely configure, deploy, and use Redis, visit the Community Edition and Enterprise Software documentation sites.

Am I impacted and how can I remediate?

If you’re a Redis Cloud customer, we’ve already upgraded our Redis Cloud service with the fixes, so no additional action is required from you.

If you’re self-managing Redis, whether Software or Community versions, upgrade your Redis to the latest release.

The versions of Redis OSS, CE and Software listed below and future versions include the corrections. Once the upgrades are performed, the vulnerability will be remediated in your environment.

You can download the latest versions here: https://redis.io/downloads/

VulnerabilityImpacted releasesFixed releases
[CVE-2026-23479] All Redis Cloud deployments.As of this publication, all Redis Cloud deployments are now running fixed builds. We ensure timely rollout of CVE patches across our cloud, so customers remain protected and are not exposed to known vulnerabilities. Please note that fixed releases in Redis Cloud may differ from OSS and Redis Software, as fixes are applied directly to Cloud builds.
Versions of Redis Software up to and including 8.0.6 are impacted, unless you are running one of the fixed builds listed under "fixed releases" or a later minor release in the same version line.Redis Software 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279 and 7.2.4-153
All Redis OSS/CE releasesOSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3
[CVE-2026-25243] All Redis Cloud deployments.As of this publication, all Redis Cloud deployments are now running fixed builds. We ensure timely rollout of CVE patches across our cloud, so customers remain protected and are not exposed to known vulnerabilities. Please note that fixed releases in Redis Cloud may differ from OSS and Redis Software, as fixes are applied directly to Cloud builds.
Versions of Redis Software up to and including 8.0.6, unless you are running one of the fixed builds listed under "fixed releases" or a later minor release in the same version line.Redis Software 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153
All Redis OSS/CE releasesOSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3
[CVE-2026-25588]All Redis Cloud deployments.As of this publication, all Redis Cloud deployments are now running fixed builds. We ensure timely rollout of CVE patches across our cloud, so customers remain protected and are not exposed to known vulnerabilities. Please note that fixed releases in Redis Cloud may differ from OSS and Redis Software, as fixes are applied directly to Cloud builds.
Versions of Redis Software up to and including 8.0.6, unless you are running one of the fixed builds listed under "fixed releases" or a later minor release in the same version line.Redis Software 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153
All Redis OSS/CE releasesOSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3, Redistimeseries v1.12.14, v1.10.24, v1.8.23
[CVE-2026-25589]All Redis Cloud deployments. As of this publication, all Redis Cloud deployments are now running fixed builds. We ensure timely rollout of CVE patches across our cloud, so customers remain protected and are not exposed to known vulnerabilities. Please note that fixed releases in Redis Cloud may differ from OSS and Redis Software, as fixes are applied directly to Cloud builds.
Versions of Redis Software up to and including 8.0.6, unless you are running one of the fixed builds listed under "fixed releases" or a later minor release in the same version line.Redis Software 8.0.10-64, 7.22.2-79, 7.8.6-253, 7.4.6-279, and 7.2.4-153
All Redis OSS/CE releasesOSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3, RedisBloom: v2.8.20, v2.6.28, v2.4.23
[CVE-2026-23631]All Redis OSS releases where replica-read-only is disabledOSS/CE 6.2.22, 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3

How can I tell if I was already exposed and how can I identify exploitation?

Refer to the table above to identify if you are on a vulnerable version.

As of this publication we have no evidence of exploitation of these vulnerabilities at Redis or in customer environments.

This isn’t a comprehensive guide, but it is a general recommendation you can adapt to your needs and operating environment.

There are a number of technical and behavioral indicators or artifacts that may be created if exploitation of the vulnerability occurred. If you search for these within your Redis environment, you should be able to detect potential exploitation related to your Redis instance.

  • Access to the Redis database from unauthorized or unknown sources
  • Unknown or anomalous network ingress traffic to the Redis database
  • Unexplained Redis server crashes, specifically crashes with a stack trace that originates from the Lua engine
  • Unknown, unexpected, or anomalous command execution by the redis-server user
  • Unknown or anomalous network egress traffic (or attempts) from the Redis database
  • Unknown or anomalous changes to the file system, in particular in directories that host Redis persistent or configuration files

Who gets the credit?

We thank the following researchers for their vigilance in reporting these vulnerabilities through our published process. We would also like to thank Wiz for the partnership and hosting Wiz ZeroDay.Cloud, where a number of these vulnerabilities were identified:

  • [CVE‑2026‑23479] reported by independent researchers Team Xint Code (Tim Becker @tjbecker, Jacob Newman, and Juno IM)
  • [CVE‑2026‑25243] the following issues were reported by:
    • Redis: double-free, discovered by independent researcher Emil Lerner (@emil_lerner)
    • VectorSets - Integer overflow and Out-Of-Bounds read. discovered by the independent researcher Joseph Surin.
  • [CVE-2026-25588] discovered by independent researchers Team Skateboarding Dog (Joseph Surin, John Stephenson, and Annie Nie)
  • [CVE‑2026‑25589] the following issues were reported by:
    • RedisBloom: Out-Of-Bounds read/write, discovered by Daniel Firer
    • RedisBloom - Integer overflow, heap buffer overflow, and Out-Of-Bounds read/write, discovered by independent researcher Joseph Surin.
  • [CVE-2026-23631] discovered by independent researcher Yoni Sherez (@yoyosh__)

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。