Cyber Resilience

CVE-2023-41056

High

Published: 10 January 2024

Published
10 January 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0732 91.9th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41056 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis is an in-memory database that persists on disk and is affected by an integer overflow vulnerability (CWE-190) that occurs during memory buffer resizing. The flaw produces a heap overflow that can lead to remote code execution. It impacts versions prior to the fixes released in 7.0.15 and 7.2.4 and carries a CVSS 3.1 score of 8.1.

An unauthenticated network attacker can trigger the condition without user interaction, although successful exploitation requires high attack complexity. If achieved, the attacker obtains the ability to execute arbitrary code on the Redis host, resulting in full confidentiality, integrity, and availability impact.

The official GitHub security advisory and release notes for 7.0.15 and 7.2.4 state that the issue has been resolved by correcting buffer-resizing logic. Downstream distributions such as Fedora have published corresponding package updates. The associated EPSS score has remained low, moving only from 0.0732 to a peak of 0.0751 with no material upward trajectory after disclosure.

EU & UK References

Vulnerability details

Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15…

more

and 7.2.4.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
7.0.9 — 7.0.15 · 7.2.0 — 7.2.4
fedoraproject
fedora
38, 39

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References