CVE-2026-21864
Published: 24 February 2026
Summary
CVE-2026-21864 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey-Bloom. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of a network-accessible database service (Valkey) via malicious RESTORE command to trigger crash/DoS (CWE-20 input validation failure).
NVD Description
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server…
more
to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
Deeper analysisAI
CVE-2026-21864 affects Valkey-Bloom, a Rust-based module that adds Bloom Filter data type support to the Valkey distributed key-value database. In versions prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, the module fails to set the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag during RDB parsing, despite correctly handling parsing errors. This allows a specially crafted RESTORE command to trigger a system assertion, resulting in server shutdown. The vulnerability is rated 6.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).
An attacker with low-privilege (PR:L) network access to a vulnerable Valkey instance can exploit this by sending a malicious RESTORE command. The low attack complexity and lack of user interaction enable remote denial-of-service, causing high-impact availability disruption through server crashes without affecting confidentiality or integrity.
The patch in commit a68614b6e3845777d383b3a513cedcc08b3b7ccd adds the required flag to prevent assertion failures. Additional mitigation includes disabling the RESTORE command if not used by the application, as noted in the Valkey-Bloom GitHub security advisory (GHSA-mc2g-h759-3qw2).
Details
- CWE(s)