CVE-2026-21863
Published: 23 February 2026
Summary
CVE-2026-21863 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Lfprojects Valkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of network packet processing flaw in exposed clusterbus service directly enables T1190 (Exploit Public-Facing Application) and results in DoS via crafted input, mapping to T1499.004 (Application or System Exploitation).
NVD Description
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in…
more
the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Deeper analysisAI
CVE-2026-21863 affects Valkey, a distributed key-value database, in versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The vulnerability resides in the clusterbus packet processing code, which fails to validate whether a clusterbus ping extension packet is located within the buffer of the clusterbus packet before attempting to read it. This flaw enables an out-of-bounds read (CWE-125), potentially leading to a system crash. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
A remote attacker with network access to the Valkey clusterbus port can exploit this vulnerability by sending a specially crafted invalid packet. No authentication or user interaction is required, allowing unauthenticated attackers to trigger the out-of-bounds read and cause a denial-of-service condition through system crashes. Exploitation relies solely on reaching the clusterbus port over the network.
The Valkey security advisory recommends upgrading to fixed versions 9.0.2, 8.1.6, 8.0.7, or 7.2.12, which address the buffer validation issue. As an additional mitigation, administrators should avoid exposing the clusterbus connection directly to end users and secure it with dedicated network access control lists (ACLs). Further details are available in the GitHub Security Advisory at https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq.
Details
- CWE(s)