CVE-2023-41056
Published: 10 January 2024
Summary
CVE-2023-41056 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redis Redis. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 8.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Redis is an in-memory database that persists on disk and is affected by an integer overflow vulnerability (CWE-190) that occurs during memory buffer resizing. The flaw produces a heap overflow that can lead to remote code execution. It impacts versions prior to the fixes released in 7.0.15 and 7.2.4 and carries a CVSS 3.1 score of 8.1.
An unauthenticated network attacker can trigger the condition without user interaction, although successful exploitation requires high attack complexity. If achieved, the attacker obtains the ability to execute arbitrary code on the Redis host, resulting in full confidentiality, integrity, and availability impact.
The official GitHub security advisory and release notes for 7.0.15 and 7.2.4 state that the issue has been resolved by correcting buffer-resizing logic. Downstream distributions such as Fedora have published corresponding package updates. The associated EPSS score has remained low, moving only from 0.0732 to a peak of 0.0751 with no material upward trajectory after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-45579
Vulnerability details
Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15…
more
and 7.2.4.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.