Cyber Resilience

CVE-2026-21864

Medium

Published: 24 February 2026

Published
24 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0016 37.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21864 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey-Bloom. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-21864 affects Valkey-Bloom, a Rust-based module that adds Bloom Filter data type support to the Valkey distributed key-value database. In versions prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, the module fails to set the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag during RDB parsing, despite correctly handling parsing errors. This allows a specially crafted RESTORE command to trigger a system assertion, resulting in server shutdown. The vulnerability is rated 6.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).

An attacker with low-privilege (PR:L) network access to a vulnerable Valkey instance can exploit this by sending a malicious RESTORE command. The low attack complexity and lack of user interaction enable remote denial-of-service, causing high-impact availability disruption through server crashes without affecting confidentiality or integrity.

The patch in commit a68614b6e3845777d383b3a513cedcc08b3b7ccd adds the required flag to prevent assertion failures. Additional mitigation includes disabling the RESTORE command if not used by the application, as noted in the Valkey-Bloom GitHub security advisory (GHSA-mc2g-h759-3qw2).

EU & UK References

Vulnerability details

Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server…

more

to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote exploitation of a network-accessible database service (Valkey) via malicious RESTORE command to trigger crash/DoS (CWE-20 input validation failure).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27623Same vendor: Lfprojects
CVE-2026-0545Same vendor: Lfprojects
CVE-2026-21863Same vendor: Lfprojects
CVE-2025-71003Shared CWE-20
CVE-2025-15031Same vendor: Lfprojects
CVE-2026-26310Shared CWE-20
CVE-2026-2652Same vendor: Lfprojects
CVE-2025-66786Shared CWE-20
CVE-2025-59895Shared CWE-20
CVE-2026-26314Shared CWE-20

Affected Assets

lfprojects
valkey-bloom
≤ 1.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of inputs such as the specially crafted RESTORE command that triggers the assertion failure.

prevent

Requires graceful error handling during RDB parsing instead of allowing unhandled errors to cause server shutdown.

prevent

Supports disabling the unused RESTORE command to eliminate the attack vector for malformed input.

References