Primary

Context

Redis Lua Scripting Use-After-Free Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A use-after-free vulnerability has been identified in Redis versions with Lua scripting enabled. This issue arises in the master-replica synchronization process, allowing an authenticated attacker to exploit replicas where the 'replica-read-only' setting is disabled or can be disabled. The vulnerability may lead to remote code execution on the affected replicas.

Impact

Exploitation of this vulnerability can result in remote code execution on the affected Redis replica.

Remediation

Users can upgrade to Redis version 8.6.3, where this vulnerability has been patched. Alternatively, avoid using replicas with 'replica-read-only' disabled or prevent users from executing Lua scripts.

Added: May 5, 2026, 5:23 PM

Updated: May 5, 2026, 5:23 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

4.3

remediation

8.3

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

7.5

exploitability

4.3

remediation

8.3

relevance

7.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Redis Lua Scripting Use-After-Free Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Redis

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating