CVE-2026-27623
Published: 23 February 2026
Summary
CVE-2026-27623 is a high-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated DoS via crafted empty + follow-up requests triggering assertion failure and server abort directly matches application/system exploitation for endpoint denial of service.
NVD Description
Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system…
more
does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.
Deeper analysisAI
CVE-2026-27623 is a denial-of-service vulnerability in Valkey, an open-source distributed key-value database forked from Redis. It affects versions 9.0.0 through 9.0.2, stemming from improper input validation (CWE-20). Specifically, the server fails to reset its networking state after processing an empty incoming request, leaving it in an inconsistent state that causes subsequent requests to trigger an assertion failure and server abort.
Any unauthenticated attacker with network access to the Valkey instance can exploit this remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending an empty request followed by a specially crafted one, the attacker tricks the server into detecting a broken invariant, resulting in an immediate shutdown and disruption of service availability.
The official GitHub Security Advisory (GHSA-93p9-5vc7-8wgr) states that upgrading to Valkey version 9.0.3 resolves the issue by properly handling networking state resets. As an additional mitigation, deployments should be isolated using network controls or access restrictions to limit exposure to only trusted clients.
Details
- CWE(s)