Loading
Generated remediation guidance and an executive summary. No account required.
Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.
Cite this page
CVE-2026-21863. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-21863
Use CWE-125, Lfprojects vendor hub and Valkey product page to widen CVE-2026-21863 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2025-49844, CVE-2025-67733 and CVE-2026-27623 for nearby disclosures in the same product family.