Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
In May 2026, Redis developers fixed a dangerous post-authentication remote code execution vulnerability, dubbed DarkReplica (CVE-2026-23631<\/a>), that allowed attackers to gain full control of a Redis host.<\/p>\n Redis provides powerful server-side Lua engines, allowing administrators to run custom logic directly in the database.<\/p>\n There are two such engines: the older scripting engine and the newer functions engine, which stores libraries and synchronizes them between nodes.<\/p>\n DarkReplica targets the functions engine during replication. An attacker who can authenticate to a Redis instance can instruct that server to become a replica of an attacker-controlled master using the SLAVEOF command<\/a>.<\/p>\n When the replica synchronizes, the server may load a new function context from the incoming RDB (Redis dump) file.<\/p>\n The issue was discovered during a ZeroDay.Cloud 2025 research<\/a> effort and demonstrated how complex features and unexpected interactions can lead to critical risks.<\/p>\n Redis handles long-running Lua functions by periodically yielding to process events this is how FUNCTION KILL works.<\/p>\n But processing replication events while a slow function is paused opens a loophole: the replication handler frees the running Lua engine and replaces it with a new context without preventing the paused function from resuming.<\/p>\n The paused function then continues executing with its lua_State and related objects freed, producing a use-after-free condition<\/a>.<\/p>\n Exploiting that condition is complex but practical. Researchers built primitives to leak heap addresses, force deterministic heap allocations, and create fake Lua objects.<\/p>\n By running the vulnerable code inside coroutines and carefully spraying the Lua memory arena, they regained control of the Lua VM and produced read\/write primitives.<\/p>\n From there, they redirected internal function pointers to call libc functions. They ultimately invoked system commands, achieving full remote code execution on the host<\/a>.<\/p>\n The vulnerability impacted many maintained Redis release series and was patched on May 5, 2026, across versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x.<\/p>\n Operators must upgrade to fixed releases immediately and audit exposed Redis instances<\/a>.<\/p>\n Because exploitation requires authentication and advanced memory work, risk is highest for misconfigured servers that allow weak or no credentials, or for environments where attackers can obtain valid credentials.<\/p>\n The incident highlights that complex in-process scripting and replication features increase the attack surface, underscoring the importance of careful synchronization and lifecycle management.<\/p>\n Users should update Redis, enforce strong authentication and network controls, and monitor for unexpected changes to agent configuration or functionality.<\/p>\n The researcher published the full technical write-up and exploit. Vendors and cloud security tools now offer advisories to detect affected installations.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n \n The post Critical Redis RCE Vulnerability Enable Attackers to Gain Complete Control to Host Server<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nRedis RCE Vulnerability<\/strong><\/h2>\n