[security][CRITICAL] redis 8.2.6: 4 CVE require triage #6

New issue

Open

opened 2026-05-25 00:46:40 +03:00 by sbelikov · 0 comments

sbelikov commented

2026-05-25 00:46:40 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: redis
Version: 8.2.6
EVR: 8.2.6-1
Category: -
Policy class: -
NiceOS policy class: -
Owner: -
Severity: CRITICAL
Max CVSS: 10.0
CVE count: 4

LLM recommendation / Рекомендация LLM

RU

Для пакета redis 8.2.6 найдены CVE-кандидаты по данным NVD/CPE: CVE-2022-0543, CVE-2022-3734, CVE-2026-23479, CVE-2026-25243. Требуется triage security-team.

Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: -

Проверки: Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета.

Риски: Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС.

EN

NVD/CPE candidate CVEs were found for redis 8.2.6: CVE-2022-0543, CVE-2022-3734, CVE-2026-23479, CVE-2026-25243. Security-team triage is required.

Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required.

Recommended action: needs_triage

Target version hint: -

Tests: Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests.

Risks: An automatic NVD/CPE match is not the final NiceOS vulnerability verdict.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2022-0543	CRITICAL	10.0	cpe-generic	needs_triage	generic CPE product match without version range; needs triage
CVE-2022-3734	CRITICAL	9.8	cpe-generic	needs_triage	generic CPE product match without version range; needs triage
CVE-2026-23479	HIGH	7.7	cpe-range	needs_triage	package version is inside version range
CVE-2026-25243	HIGH	7.7	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2022-0543

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CVE-2022-3734

A vulnerability was found in a port or fork of Redis. It has been declared as critical. This vulnerability affects unknown code in the library C:/Program Files/Redis/dbghelp.dll. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of this vulnerability is VDB-212416. NOTE: The official Redis release is not affected. This issue might affect an unofficial fork or port on Windows only.

CVE-2026-23479

Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from processCommandAndResetClient when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3.

CVE-2026-25243

Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2022-0543",
    "CVE-2022-3734",
    "CVE-2026-23479",
    "CVE-2026-25243"
  ],
  "fingerprint": "2d00525b13d12df78fa3",
  "generated_at": "2026-05-24T21:46:39Z",
  "package": "redis",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "8.2.6"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `redis` - Version: `8.2.6` - EVR: `8.2.6-1` - Category: `-` - Policy class: `-` - NiceOS policy class: `-` - Owner: `-` - Severity: `CRITICAL` - Max CVSS: `10.0` - CVE count: `4` ## LLM recommendation / Рекомендация LLM ### RU Для пакета redis 8.2.6 найдены CVE-кандидаты по данным NVD/CPE: CVE-2022-0543, CVE-2022-3734, CVE-2026-23479, CVE-2026-25243. Требуется triage security-team. Проверить применимость CVE к сборке НАЙС.ОС, сопоставить с upstream/vendor advisory, определить статус affected/fixed/not_affected и при необходимости подготовить обновление пакета. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `-` **Проверки:** Проверить сборку RPM, обновление пакета, совместимость зависимостей, service/CLI smoke tests и регрессионные сценарии по классу пакета. **Риски:** Автоматическое совпадение NVD/CPE не является финальным вердиктом по НАЙС.ОС. ### EN NVD/CPE candidate CVEs were found for redis 8.2.6: CVE-2022-0543, CVE-2022-3734, CVE-2026-23479, CVE-2026-25243. Security-team triage is required. Verify CVE applicability to the NiceOS build, compare with upstream/vendor advisories, set affected/fixed/not_affected status, and prepare a package update if required. **Recommended action:** `needs_triage` **Target version hint:** `-` **Tests:** Run RPM build, package upgrade, dependency compatibility, service/CLI smoke tests, and package-class-specific regression tests. **Risks:** An automatic NVD/CPE match is not the final NiceOS vulnerability verdict. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2022-0543 | CRITICAL | 10.0 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | | CVE-2022-3734 | CRITICAL | 9.8 | cpe-generic | needs_triage | generic CPE product match without version range; needs triage | | CVE-2026-23479 | HIGH | 7.7 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-25243 | HIGH | 7.7 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2022-0543 It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution. ### CVE-2022-3734 A vulnerability was found in a port or fork of Redis. It has been declared as critical. This vulnerability affects unknown code in the library C:/Program Files/Redis/dbghelp.dll. The manipulation leads to uncontrolled search path. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of this vulnerability is VDB-212416. NOTE: The official Redis release is not affected. This issue might affect an unofficial fork or port on Windows only. ### CVE-2026-23479 Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-after-free that may lead to remote code execution. This has been patched in version 8.6.3. ### CVE-2026-25243 Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in version 8.6.3. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2022-0543", "CVE-2022-3734", "CVE-2026-23479", "CVE-2026-25243" ], "fingerprint": "2d00525b13d12df78fa3", "generated_at": "2026-05-24T21:46:39Z", "package": "redis", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "8.2.6" } ```