Cyber Resilience

CVE-2026-23479

HighUpdated

Published: 05 May 2026

Published
05 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0129 66.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23479 is a high-severity Use After Free (CWE-416) vulnerability in Redis Redis. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 33.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an…

more

authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

UAF in Redis server enables authenticated RCE, directly mapping to exploitation of public-facing/remote services and priv esc.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23631Same product: Redis Redis
CVE-2025-62507Same product: Redis Redis
CVE-2025-46817Same product: Redis Redis
CVE-2026-25243Same product: Redis Redis
CVE-2024-46981Same product: Redis Redis
CVE-2025-49844Same product: Redis Redis
CVE-2026-7357Shared CWE-416
CVE-2026-45185Shared CWE-416
CVE-2025-21298Shared CWE-416
CVE-2026-31474Shared CWE-416

Affected Assets

redis
redis
7.2.0 — 8.6.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-416

Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.

References