CVE-2022-31144
Published: 19 July 2022
Summary
CVE-2022-31144 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Redis is an in-memory database that persists on disk. A specially crafted XAUTOCLAIM command targeting a stream key in a specific state can trigger a heap overflow that leads to remote code execution. The flaw affects the 7.x branch prior to version 7.0.4 and is tracked under CWE-122 and CWE-787.
An attacker with local access and low privileges can supply the malicious command to exploit the overflow. Successful exploitation yields arbitrary code execution on the affected Redis instance, although the CVSS vector indicates high attack complexity.
The official patch is included in Redis 7.0.4. Public advisories, including the GitHub security advisory and downstream notices from Gentoo and NetApp, direct users to upgrade to the fixed release to eliminate the vulnerable code path. The associated EPSS score has remained in the 0.20–0.24 range without a pronounced post-disclosure climb.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-52768
Vulnerability details
Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch…
more
prior to 7.0.4. The patch is released in version 7.0.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.