Cyber Resilience

CVE-2026-21863

High

Published: 23 February 2026

Published
23 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0002 5.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21863 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Lfprojects Valkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21863 affects Valkey, a distributed key-value database, in versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The vulnerability resides in the clusterbus packet processing code, which fails to validate whether a clusterbus ping extension packet is located within the buffer of the clusterbus packet before attempting to read it. This flaw enables an out-of-bounds read (CWE-125), potentially leading to a system crash. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

A remote attacker with network access to the Valkey clusterbus port can exploit this vulnerability by sending a specially crafted invalid packet. No authentication or user interaction is required, allowing unauthenticated attackers to trigger the out-of-bounds read and cause a denial-of-service condition through system crashes. Exploitation relies solely on reaching the clusterbus port over the network.

The Valkey security advisory recommends upgrading to fixed versions 9.0.2, 8.1.6, 8.0.7, or 7.2.12, which address the buffer validation issue. As an additional mitigation, administrators should avoid exposing the clusterbus connection directly to end users and secure it with dedicated network access control lists (ACLs). Further details are available in the GitHub Security Advisory at https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq.

EU & UK References

Vulnerability details

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in…

more

the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of network packet processing flaw in exposed clusterbus service directly enables T1190 (Exploit Public-Facing Application) and results in DoS via crafted input, mapping to T1499.004 (Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27623Same product: Lfprojects Valkey
CVE-2025-67733Same product: Lfprojects Valkey
CVE-2026-0545Same vendor: Lfprojects
CVE-2026-21864Same vendor: Lfprojects
CVE-2026-41604Shared CWE-125
CVE-2026-30997Shared CWE-125
CVE-2025-15031Same vendor: Lfprojects
CVE-2026-40890Shared CWE-125
CVE-2026-26008Shared CWE-125
CVE-2026-41475Shared CWE-125

Affected Assets

lfprojects
valkey
≤ 7.2.12 · 8.0.0 — 8.0.7 · 8.1.0 — 8.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation requires applying Valkey patches (9.0.2, 8.1.6, 8.0.7, 7.2.12) to fix the buffer validation flaw causing out-of-bounds reads and crashes.

prevent

Boundary protection implements network ACLs to restrict access to the clusterbus port, blocking unauthenticated remote attackers from sending malicious packets.

prevent

Denial-of-service protection limits the effects of crafted invalid packets that trigger out-of-bounds reads and system crashes on the clusterbus port.

References