What to do right now if you use Redis.
Critical vulnerability in Redis allowed to capture the server after authorization and perform arbitrary code. The problem is called DarkReplicaDarkReplica. Having discovered the error, the author received $ 30 thousand at the competition ZeroDay.Cloud 2025 in London.
Vulnerability CVE-2026-23631 (CVSS:2.0/AV::C:C/C:C:C:C:C:8.5 (High)) affects the Redis replication mechanism that is used to synchronize data between servers. The error is due to the fact that the memory is incorrectly released after the server connects to the node controlled by the attacker. As a result, the attacker could force Redis to continue working with the memory-free data, which opened the way to execute its own code on the server.
The attack required authorization in Redis. Having received access, the attacker could assign the server to the “replica” of the controlled node and take advantage of a logical error in the process of synchronization. The problem arose inside the built-in mechanism of performing functions in the Lua language. At some point, Redis removed the used Lua environment, but the code continued to run by recourse to the already liberated areas of memory.
Further operation was extremely difficult and demanded to deeply understand the internal device of Redis and the Lua virtual machine. The study author developed a set of techniques to read and change the contents of memory, and then was able to execute system commands on the target server.
The developers of Redis fixed the problem on May 5, 2026. The corrections are included in versions 7.2.14, 7.4.9, 8.2.6, 8.4.3 and 8.6.3. The vulnerability affected all previous issues of the corresponding branches. Experts recommend installing updates as soon as possible. Redis owners are also advised to restrict access to the system, use reliable passwords and not to leave the databases available from the Internet without additional protection.
Critical vulnerability in Redis allowed to capture the server after authorization and perform arbitrary code. The problem is called DarkReplicaDarkReplica. Having discovered the error, the author received $ 30 thousand at the competition ZeroDay.Cloud 2025 in London.
Vulnerability CVE-2026-23631 (CVSS:2.0/AV::C:C/C:C:C:C:C:8.5 (High)) affects the Redis replication mechanism that is used to synchronize data between servers. The error is due to the fact that the memory is incorrectly released after the server connects to the node controlled by the attacker. As a result, the attacker could force Redis to continue working with the memory-free data, which opened the way to execute its own code on the server.
The attack required authorization in Redis. Having received access, the attacker could assign the server to the “replica” of the controlled node and take advantage of a logical error in the process of synchronization. The problem arose inside the built-in mechanism of performing functions in the Lua language. At some point, Redis removed the used Lua environment, but the code continued to run by recourse to the already liberated areas of memory.
Further operation was extremely difficult and demanded to deeply understand the internal device of Redis and the Lua virtual machine. The study author developed a set of techniques to read and change the contents of memory, and then was able to execute system commands on the target server.
The developers of Redis fixed the problem on May 5, 2026. The corrections are included in versions 7.2.14, 7.4.9, 8.2.6, 8.4.3 and 8.6.3. The vulnerability affected all previous issues of the corresponding branches. Experts recommend installing updates as soon as possible. Redis owners are also advised to restrict access to the system, use reliable passwords and not to leave the databases available from the Internet without additional protection.
