Cyber Resilience

CVE-2023-36824

High

Published: 11 July 2023

Published
11 July 2023
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8900 99.5th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-36824 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Fedoraproject Fedora. Its CVSS base score is 7.4 (High).

Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis 7.0 prior to version 7.0.12 contains a heap overflow vulnerability in the logic that extracts key names from commands and argument lists. The flaw can be triggered by the COMMAND GETKEYS and COMMAND GETKEYSANDFLAGS subcommands or by any command whose key names are matched by ACL rules, resulting in out-of-bounds reads, heap corruption, and potential remote code execution. The issue is tracked under CWE-122, CWE-131, and CWE-787 and carries a CVSS 3.1 score of 7.4.

Authenticated users are able to exploit the condition by submitting specially crafted commands that reference variadic key-name lists. Successful exploitation can disclose heap memory contents or corrupt allocator state, enabling arbitrary code execution on the Redis server process.

The vulnerability is fixed in Redis 7.0.12. The official advisory and release notes recommend immediate upgrade; downstream distributions such as Fedora have published corresponding package updates, and NetApp has issued an advisory for affected storage products. The EPSS score has remained near its peak of 0.9084 with a current value of 0.8900.

EU & UK References

Vulnerability details

Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap…

more

memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
7.0.0 — 7.0.12
fedoraproject
fedora
37, 38

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References