How serious is CVE-2026-21863?

This vulnerability has a CVSS score of 7.5 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-21863?

CVE-2026-21863 affects lfprojects valkey. Check the full CVE details for specific version information.

How do I fix CVE-2026-21863?

To remediate CVE-2026-21863, check for security patches from lfprojects. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-21863

High

|7.5

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

An attacker with access to the Valkey database's clusterbus port can send a specially crafted packet that may crash the system, disrupting service. To exploit this vulnerability, the attacker must already have access to the clusterbus, so it's crucial to restrict access with proper network controls.

Technical Description

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,053($1K-$5K)

Vendor Response

Grade APatched in 1 day

Quick Information

Published

Feb 23, 2026

about 1 month ago

Last Modified

Feb 25, 2026

about 1 month ago

Vendor

lfprojects

Product

valkey

Related Vulnerabilities

CVE-2026-27623High

An attacker with network access to the Valkey database can send a specially crafted request that causes the system to crash, disrupting service. This vulnerability affects versions 9.0.0 to 9.0.2, so it's crucial to upgrade to version 9.0.3 or ensure that only trusted users can access the system.

CVE-2025-67733High

This vulnerability allows a malicious user to inject harmful data into the responses sent to clients, which can corrupt or alter the information other users receive on the same connection. It affects specific versions of the Valkey database, and the issue arises from improper handling of errors in scripting commands.

CVE-2025-66416High

An attacker can exploit a flaw in the MCP Python SDK to send unauthorized requests to a local server running without authentication, potentially accessing sensitive resources or executing commands on behalf of the user. This vulnerability occurs only if the server is set up on localhost without proper security measures, making it critical to avoid running such servers without authentication.

CVE-2025-66414High

An attacker can exploit this vulnerability to send unauthorized requests to a local MCP server running on a user's machine, potentially accessing sensitive resources or tools. This can happen if the server is running without authentication on localhost and does not have DNS rebinding protection enabled, which is a risky setup that should be avoided.