Cyber Resilience

CVE-2022-35977

Medium

Published: 20 January 2023

Published
20 January 2023
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.3327 98.2th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2022-35977 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Redis is an in-memory database that persists on disk and is affected by an integer overflow vulnerability tracked as CVE-2022-35977. Authenticated users who issue specially crafted SETRANGE and SORT(_RO) commands can trigger the flaw, causing Redis to attempt allocation of impossible amounts of memory and abort with an out-of-memory panic. The issue is classified under CWE-190 and carries a CVSS 3.1 score of 5.5 reflecting local access, low attack complexity, and high impact on availability.

An attacker with an authenticated session on the Redis instance can exploit the vulnerability to induce a denial-of-service condition by forcing the server process to terminate. No additional privileges or user interaction are required beyond the ability to execute the affected commands.

Official patches are available in Redis versions 7.0.8, 6.2.9, and 6.0.17; the project’s security advisory and release notes direct users to upgrade to these versions, noting that no workarounds exist. The associated EPSS score has remained flat at 0.3555 with no material rise after disclosure.

EU & UK References

Vulnerability details

Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic.…

more

The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer overflow in Redis commands directly enables application exploitation resulting in process termination and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-46817Same product: Redis Redis
CVE-2023-25155Same product: Redis Redis
CVE-2023-22458Same product: Redis Redis
CVE-2025-46819Same product: Redis Redis
CVE-2024-51741Same product: Redis Redis
CVE-2022-31144Same product: Redis Redis
CVE-2025-27151Same product: Redis Redis
CVE-2021-31294Same product: Redis Redis
CVE-2023-28425Same product: Redis Redis
CVE-2023-41053Same product: Redis Redis

Affected Assets

redis
redis
6.0.0 — 6.0.17 · 6.2.0 — 6.2.9 · 7.0.0 — 7.0.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patches in Redis 7.0.8/6.2.9/6.0.17 that eliminate the integer-overflow path in SETRANGE and SORT(_RO).

prevent

Mandates validation of command arguments to reject or sanitize the specially crafted values that trigger the CWE-190 overflow.

prevent

Requires mechanisms to limit or throttle resource-exhaustion effects from the OOM panic induced by the malformed commands.

References