CVE-2026-21864
Published: 24 February 2026
Summary
CVE-2026-21864 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey-Bloom. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-21864 affects Valkey-Bloom, a Rust-based module that adds Bloom Filter data type support to the Valkey distributed key-value database. In versions prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, the module fails to set the VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS flag during RDB parsing, despite correctly handling parsing errors. This allows a specially crafted RESTORE command to trigger a system assertion, resulting in server shutdown. The vulnerability is rated 6.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-20 (Improper Input Validation).
An attacker with low-privilege (PR:L) network access to a vulnerable Valkey instance can exploit this by sending a malicious RESTORE command. The low attack complexity and lack of user interaction enable remote denial-of-service, causing high-impact availability disruption through server crashes without affecting confidentiality or integrity.
The patch in commit a68614b6e3845777d383b3a513cedcc08b3b7ccd adds the required flag to prevent assertion failures. Additional mitigation includes disabling the RESTORE command if not used by the application, as noted in the Valkey-Bloom GitHub security advisory (GHSA-mc2g-h759-3qw2).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7461
Vulnerability details
Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server…
more
to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of a network-accessible database service (Valkey) via malicious RESTORE command to trigger crash/DoS (CWE-20 input validation failure).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of inputs such as the specially crafted RESTORE command that triggers the assertion failure.
Requires graceful error handling during RDB parsing instead of allowing unhandled errors to cause server shutdown.
Supports disabling the unused RESTORE command to eliminate the attack vector for malformed input.