CVE-2022-31144

HIGH

Redis 7.0-7.0.3 - Heap-based Buffer Overflow via XAUTOCLAIM Command

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-31144. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary This PoC demonstrates a denial-of-service (DoS) vulnerability in Redis by exploiting a flaw in stream handling and memory management. The script manipulates Redis streams and groups to trigger excessive memory consumption or crashes.

Description

Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.

Exploits (1)

nomisec WORKING POC 1 stars
by SpiralBL0CK · poc
https://github.com/SpiralBL0CK/CVE-2022-31144

This PoC demonstrates a denial-of-service (DoS) vulnerability in Redis by exploiting a flaw in stream handling and memory management. The script manipulates Redis streams and groups to trigger excessive memory consumption or crashes.

Classification
Working Poc 90%
Attack Type
Dos
Complexity
Moderate
Reliability
Reliable
Target: Redis (version not specified, likely affected versions prior to patch)
No auth needed
Prerequisites: Access to Redis instance · Redis instance without authentication or with known credentials
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/redis/redis/releases/tag/7.0.4
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20220909-0002/
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202209-17

Scores

CVSS v3 7.0
EPSS 0.0229
EPSS Percentile 80.9%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-122 CWE-787
Status published
Products (1)
redis/redis 7.0 - 7.0.4
Published Jul 19, 2022
Tracked Since Feb 18, 2026