CVE-2026-27623
Published: 23 February 2026
Summary
CVE-2026-27623 is a high-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27623 is a denial-of-service vulnerability in Valkey, an open-source distributed key-value database forked from Redis. It affects versions 9.0.0 through 9.0.2, stemming from improper input validation (CWE-20). Specifically, the server fails to reset its networking state after processing an empty incoming request, leaving it in an inconsistent state that causes subsequent requests to trigger an assertion failure and server abort.
Any unauthenticated attacker with network access to the Valkey instance can exploit this remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending an empty request followed by a specially crafted one, the attacker tricks the server into detecting a broken invariant, resulting in an immediate shutdown and disruption of service availability.
The official GitHub Security Advisory (GHSA-93p9-5vc7-8wgr) states that upgrading to Valkey version 9.0.3 resolves the issue by properly handling networking state resets. As an additional mitigation, deployments should be isolated using network controls or access restrictions to limit exposure to only trusted clients.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7509
Vulnerability details
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system…
more
does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via crafted empty + follow-up requests triggering assertion failure and server abort directly matches application/system exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific flaw in Valkey versions 9.0.0-9.0.2 by patching to 9.0.3, which fixes the networking state reset after empty requests.
Mandates validation of incoming requests to prevent improper handling of empty inputs that leave the server in an inconsistent state triggering assertion failure.
Enforces boundary protections to isolate Valkey deployments, restricting network access to trusted clients only and blocking unauthenticated remote DoS exploitation.