Valkey Out-of-Bounds Read Vulnerability Leading to Remote Denial-of-Service

A denial-of-service vulnerability has been identified in Valkey, a distributed key-value database, in versions prior to 9.0.2, 8.1.6, 8.0.7, and 7.2.12. The issue arises in the Valkey clusterbus packet processing code, which fails to properly validate the presence of a clusterbus ping extension packet within the buffer before attempting to read it. This lack of validation allows a malicious actor with access to the Valkey clusterbus port to send an invalid packet that could cause an out-of-bounds read, potentially leading to a crash of the Valkey process.

Impact

Exploitation of this vulnerability can cause the Valkey process to terminate, leading to a denial-of-service condition on the affected server.

Remediation

Users are advised to update to Valkey versions 9.0.3, 8.1.6, 8.0.7, or 7.2.12. Additionally, the clusterbus port should not be exposed directly to end users and should be protected with its own network ACLs.