Cyber Resilience

CVE-2024-55656

High

Published: 08 January 2025

Published
08 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1311 94.3th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55656 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

RedisBloom, a module that extends Redis with probabilistic data structures such as Count-Min Sketch, is affected by an integer overflow vulnerability (CWE-190) in the CMS.INITBYDIM command. The flaw resides in NewCMSketch(), which accepts attacker-controlled width and depth values and performs an allocation that wraps around, resulting in a smaller heap buffer than intended and subsequent out-of-bounds memory access.

An authenticated Redis client that knows the module password can send a crafted CMS.INITBYDIM command over the network to trigger the overflow. Successful exploitation grants the ability to read and write beyond the allocated buffer, enabling information disclosure and arbitrary memory corruption with high impact on confidentiality, integrity, and availability.

The issue is fixed in RedisBloom releases 2.2.19, 2.4.12, 2.6.14, and 2.8.2, as stated in the project’s GitHub security advisory. The EPSS score has remained flat at 0.1311 with no material increase after disclosure.

EU & UK References

Vulnerability details

RedisBloom adds a set of probabilistic data structures to Redis. There is an integer overflow vulnerability in RedisBloom, which is a module used in Redis. The integer overflow vulnerability allows an attacker (a redis client which knows the password) to…

more

allocate memory in the heap lesser than the required memory due to wraparound. Then read and write can be performed beyond this allocated memory, leading to info leak and OOB write. The integer overflow is in CMS.INITBYDIM command, which initialize a Count-Min Sketch to dimensions specified by user. It accepts two values (width and depth) and uses them to allocate memory in NewCMSketch(). This vulnerability is fixed in 2.2.19, 2.4.12, 2.6.14, and 2.8.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Integer overflow enables remote exploitation of RedisBloom (public-facing Redis module) via CMS.INITBYDIM for memory corruption and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30404Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2026-44673Shared CWE-190
CVE-2024-11347Shared CWE-190
CVE-2026-31649Shared CWE-190
CVE-2025-14308Shared CWE-190
CVE-2026-41416Shared CWE-190
CVE-2026-24830Shared CWE-190
CVE-2026-5121Shared CWE-190
CVE-2026-25208Shared CWE-190

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the integer overflow flaw in RedisBloom's CMS.INITBYDIM command, directly eliminating the vulnerability as fixed in versions 2.2.19, 2.4.12, 2.6.14, and 2.8.2.

prevent

Validates user-supplied width and depth parameters to CMS.INITBYDIM, preventing integer overflow during heap memory allocation in NewCMSketch().

prevent

Implements memory safeguards like address space layout randomization and heap protections to mitigate exploitation of under-allocated heap memory leading to info leaks and OOB writes.

References