Home · Live brief · Daily brief 2026-06-05
Redis CVE-2026-23479: a public use-after-free→GOT-overwrite RCE in a database 80% of cloud estates run passwordless
Part of run 2026-06-05-2c6574c4 (intel · Claude Opus 4.8)
Theori's autonomous vulnerability-discovery tool Xint Code (credited to Team Xint Code — Tim Becker, Jacob Newman, Juno IM) found CVE-2026-23479, a use-after-free in Redis's blocking-client code path that an authenticated client can drive to remote code execution on the host. The full exploit chain became public on 2 June 2026 in the write-up from the Wiz-run ZeroDay.Cloud 2025 competition, coinciding with the patch release (ZeroDay.Cloud, 2026-06-02). Redis disclosed it on 5 May among five flaws it patched that day — four rated High and RCE-class (CVE-2026-23479, -25243, -25588, -25589) plus one Medium-severity Lua use-after-free (Redis, 2026-05-05; The Hacker News, 2026-06-03).
Root cause. unblockClientOnKey() in src/blocked.c calls processCommandAndResetClient() without checking whether the client object was freed as a side effect of client eviction during that command's processing. Because Redis's zfree() does not zero memory, the freed client slot keeps stale-but-valid-looking bytes and the function keeps operating on freed memory. The defect was introduced across two commits that landed in Redis 7.2-rc1 and shipped in 7.2.0 (January 2023's PR #11012 added the unchecked reset call; a March 2023 change removed the preceding NULL guard), and it survived undetected in every stable branch for over two years.
Exploitation chain. The public PoC is a deliberate three-stage memory-grooming sequence:
- Heap-address leak (
T1203) — anEVALone-liner (return tostring(redis.call)) leaks a Lua heap pointer, defeating ASLR for the next stages. - Use-after-free groom — the attacker manipulates client memory limits via
CONFIG SET, parks a bloated client on a stream withXREAD, then collapses the limits to force eviction (the free), and reclaims the freed slot with a pipelinedSETcarrying a forged client structure. - GOT overwrite →
system()— Redis's ownupdateClientMemoryUsage()performs an out-of-bounds decrement using attacker-controlled fields in the forged client, writing into the Global Offset Table. The official Redis Docker image ships with only partial RELRO, leaving the GOT writable, so the write repointsstrcasecmp()tosystem()and the next command string is executed as an OS command (T1059).
The "authenticated" caveat barely applies. The chain needs a session whose ACL grants @admin (CONFIG SET), @scripting (EVAL), @stream (XREAD/XADD) and @read/@write — which is exactly the default user in a stock deployment. The write-up reports Redis is present in ~80% of cloud environments and that ~85% of those instances run without a password, so in the common case the "authentication" prerequisite is satisfied by anyone who can reach the port. There is no confirmed in-the-wild exploitation, but the chain is fully public and Redis is ubiquitous, so this is an asset-enumeration priority even before patching. NVD scores it 8.8 (CVSS 3.1); Redis scores it 7.7 (CVSS 4.0).
Affected and fixed. Vulnerable: 7.2.0–7.2.13, 7.4.0–7.4.8, 8.2.0–8.2.5, 8.4.0–8.4.2, 8.6.0–8.6.2. Fixed 2026-05-05 in 7.2.14, 7.4.9, 8.2.6, 8.4.3, 8.6.3; Redis Cloud is already patched.
Hunt and detection concepts. This exploit is loud in Redis's own telemetry if you collect it. Enable the slow log (slowlog-log-slower-than 0 captures every EVAL and CONFIG SET) and alert on the signature sequence rather than any single command: an EVAL returning an unusually long string, immediately followed by rapid CONFIG SET maxmemory* churn and pipelined XADD/XREAD/SET from a single client. At the OS layer the decisive signal is redis-server spawning any child process — a normal Redis never does (Sysmon-for-Linux / auditd execve with parent redis-server; on Windows-hosted Redis, Sysmon EID 1 with parent-image filter). Audit ACL LIST for any user — especially default — that simultaneously holds CONFIG, EVAL and stream commands.
Hardening / mitigation. Patch to the fixed builds. Where patching lags, you can break specific stages of the chain via ACL least-privilege without touching the binary: deny CONFIG to application users (breaks stage 2), deny @scripting/EVAL if Lua is unused (kills the stage-1 leak), and split @admin away from the application role. Independently, require a password and bind Redis off the public internet behind TLS and network policy — that alone removes the unauthenticated-in-practice exposure that makes this widely critical. Rotate any broadly shared credential that combines admin, scripting and stream privileges. ATT&CK: T1203, T1059.