Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server
Cybersecurity NewsArchived Jun 08, 2026✓ Full text saved
In May 2026, Redis developers fixed a dangerous post-authentication remote code execution vulnerability, dubbed DarkReplica (CVE-2026-23631), that allowed attackers to gain full control of a Redis host. Redis provides powerful server-side Lua engines, allowing administrators to run custom logic directly in the database. There are two such engines: the older scripting engine and the newer […] The post Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server appear
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server
By Abinaya
June 8, 2026
In May 2026, Redis developers fixed a dangerous post-authentication remote code execution vulnerability, dubbed DarkReplica (CVE-2026-23631), that allowed attackers to gain full control of a Redis host.
Redis provides powerful server-side Lua engines, allowing administrators to run custom logic directly in the database.
There are two such engines: the older scripting engine and the newer functions engine, which stores libraries and synchronizes them between nodes.
DarkReplica targets the functions engine during replication. An attacker who can authenticate to a Redis instance can instruct that server to become a replica of an attacker-controlled master using the SLAVEOF command.
When the replica synchronizes, the server may load a new function context from the incoming RDB (Redis dump) file.
Redis RCE Vulnerability
The issue was discovered during a ZeroDay.Cloud 2025 research effort and demonstrated how complex features and unexpected interactions can lead to critical risks.
Redis handles long-running Lua functions by periodically yielding to process events this is how FUNCTION KILL works.
But processing replication events while a slow function is paused opens a loophole: the replication handler frees the running Lua engine and replaces it with a new context without preventing the paused function from resuming.
The paused function then continues executing with its lua_State and related objects freed, producing a use-after-free condition.
Exploiting that condition is complex but practical. Researchers built primitives to leak heap addresses, force deterministic heap allocations, and create fake Lua objects.
By running the vulnerable code inside coroutines and carefully spraying the Lua memory arena, they regained control of the Lua VM and produced read/write primitives.
From there, they redirected internal function pointers to call libc functions. They ultimately invoked system commands, achieving full remote code execution on the host.
The vulnerability impacted many maintained Redis release series and was patched on May 5, 2026, across versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x.
Operators must upgrade to fixed releases immediately and audit exposed Redis instances.
Because exploitation requires authentication and advanced memory work, risk is highest for misconfigured servers that allow weak or no credentials, or for environments where attackers can obtain valid credentials.
The incident highlights that complex in-process scripting and replication features increase the attack surface, underscoring the importance of careful synchronization and lifecycle management.
Users should update Redis, enforce strong authentication and network controls, and monitor for unexpected changes to agent configuration or functionality.
The researcher published the full technical write-up and exploit. Vendors and cloud security tools now offer advisories to detect affected installations.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
Hackers Publish Malicious Python Package Mimicking Legitimate Parsimonious Parser
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users
Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems
Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
Latest News
Cyber Security News
Microsoft Warns Claude Code GitHub Action Could Leak CI/CD Workflow Secrets
Cyber Security
Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens
Cyber Security
New EDRChoker Tool Uses Policy-Based Quality of Service to Block EDR Processes
Cyber Security
Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers
Cyber Security News
CISA Warns of Linux Kernel Improper Authentication Vulnerability Exploited in Attacks