Cyber Resilience

CVE-2026-27623

High

Published: 23 February 2026

Published
23 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0013 31.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27623 is a high-severity Improper Input Validation (CWE-20) vulnerability in Lfprojects Valkey. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27623 is a denial-of-service vulnerability in Valkey, an open-source distributed key-value database forked from Redis. It affects versions 9.0.0 through 9.0.2, stemming from improper input validation (CWE-20). Specifically, the server fails to reset its networking state after processing an empty incoming request, leaving it in an inconsistent state that causes subsequent requests to trigger an assertion failure and server abort.

Any unauthenticated attacker with network access to the Valkey instance can exploit this remotely with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending an empty request followed by a specially crafted one, the attacker tricks the server into detecting a broken invariant, resulting in an immediate shutdown and disruption of service availability.

The official GitHub Security Advisory (GHSA-93p9-5vc7-8wgr) states that upgrading to Valkey version 9.0.3 resolves the issue by properly handling networking state resets. As an additional mitigation, deployments should be isolated using network controls or access restrictions to limit exposure to only trusted clients.

EU & UK References

Vulnerability details

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system…

more

does not properly reset the networking state after processing an empty request. A malicious actor can then send a request that the server incorrectly identifies as breaking server side invariants, which results in the server shutting down. Version 9.0.3 fixes the issue. As an additional mitigation, properly isolate Valkey deployments so that only trusted users have access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated DoS via crafted empty + follow-up requests triggering assertion failure and server abort directly matches application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21863Same product: Lfprojects Valkey
CVE-2025-67733Same product: Lfprojects Valkey
CVE-2026-21864Same vendor: Lfprojects
CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-70123Shared CWE-20
CVE-2026-0545Same vendor: Lfprojects
CVE-2025-61616Shared CWE-20
CVE-2026-22565Shared CWE-20
CVE-2026-22699Shared CWE-20

Affected Assets

lfprojects
valkey
9.0.0 — 9.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific flaw in Valkey versions 9.0.0-9.0.2 by patching to 9.0.3, which fixes the networking state reset after empty requests.

prevent

Mandates validation of incoming requests to prevent improper handling of empty inputs that leave the server in an inconsistent state triggering assertion failure.

prevent

Enforces boundary protections to isolate Valkey deployments, restricting network access to trusted clients only and blocking unauthenticated remote DoS exploitation.

References