CVE-2026-23631

HIGH

redis-server Lua use-after-free may allow remote code execution

Title source: cna

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-23631. PoCs published by yoyosh, HORKimhab.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-23631, targeting a Redis Lua scripting vulnerability. The exploit uses a multi-stage approach involving memory corruption, fake object manipulation, and RDB payload delivery to achieve remote code execution.

Description

Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where replica-read-only is disabled. This is patched in version 8.6.3.

Exploits (2)

github WORKING POC 1 stars

by yoyosh · pythonpoc

https://github.com/yoyosh/DarkReplica

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-23631, targeting a Redis Lua scripting vulnerability. The exploit uses a multi-stage approach involving memory corruption, fake object manipulation, and RDB payload delivery to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Redis (specific version not specified)

No auth needed

Prerequisites: Network access to Redis server · Redis server with Lua scripting enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 02, 2026 Full analysis →

github STUB

by HORKimhab · poc

https://github.com/HORKimhab/CVE-2026-23631

View Code ZIP pw:eip

The repository contains only placeholder files (README.md, LICENSE, .gitignore, and a template file) with no actual exploit code or technical details about CVE-2026-23631. The README is a generic template with no specific information about the vulnerability or exploit.

Classification

Stub 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/redis/redis/security/advisories/GHSA-8ghh-qpmp-7826

X_Refsource_Misc x_refsource_misc

https://github.com/redis/redis/releases/tag/8.6.3

Scores

CVSS v3 8.1

EPSS 0.0009

EPSS Percentile 26.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-416

Status published

Products (1)

redis/redis < 8.6.3 (2 CPE variants)

Published May 05, 2026

Tracked Since May 05, 2026