{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T12:10:15.235","vulnerabilities":[{"cve":{"id":"CVE-2026-21863","sourceIdentifier":"security-advisories@github.com","published":"2026-02-23T20:28:53.853","lastModified":"2026-02-25T17:49:51.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious actor with access to the Valkey clusterbus port can send an invalid packet that may cause an out bound read, which might result in the system crashing. The Valkey clusterbus packet processing code does not validate that a clusterbus ping extension packet is located within buffer of the clusterbus packet before attempting to read it. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. As an additional mitigation, don't expose the cluster bus connection directly to end users, and protect the connection with its own network ACLs."},{"lang":"es","value":"Valkey es una base de datos distribuida de clave-valor. Antes de las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12, un actor malicioso con acceso al puerto clusterbus de Valkey puede enviar un paquete inválido que puede causar una lectura fuera de límites, lo que podría resultar en la caída del sistema. El código de procesamiento de paquetes clusterbus de Valkey no valida que un paquete de extensión ping de clusterbus esté ubicado dentro del búfer del paquete clusterbus antes de intentar leerlo. Las versiones 9.0.2, 8.1.6, 8.0.7 y 7.2.12 solucionan el problema. Como una mitigación adicional, no exponga la conexión del bus de clúster directamente a los usuarios finales y proteja la conexión con sus propias ACL de red."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-125"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionEndExcluding":"7.2.12","matchCriteriaId":"0A7DFDB2-5FDE-4F69-9B9E-7ED6D910EF76"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.7","matchCriteriaId":"2375C3CF-6580-4EA0-AA6A-A92198CB7E1F"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"8.1.0","versionEndExcluding":"8.1.6","matchCriteriaId":"03050B63-5660-4DFF-B6AC-3E701B9D199D"},{"vulnerable":true,"criteria":"cpe:2.3:a:lfprojects:valkey:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.2","matchCriteriaId":"315880B4-E0D2-4366-8E7B-2B97D82BA92E"}]}]}],"references":[{"url":"https://github.com/valkey-io/valkey/security/advisories/GHSA-c677-q3wr-gggq","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}