Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Redis blocking-client use-after-free RCE (CVE-2026-23479)

Vulnerability
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

Redis fixed CVE-2026-23479, a use-after-free in blocking-client code that can allow arbitrary OS command execution on affected hosts. The flaw affects Redis starting in 7.2.0 across multiple stable branches, and the patched releases landed on May 5. Redis says it has seen no evidence of exploitation in its own or customer environments.

Related Happenings

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is an active **npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread tro...

Open Happening

Timeline

  1. 03.06.2026 16:47 1 articles · 9h ago

    Redis releases fixed minors for CVE-2026-23479

    Mitigation Patch Update

    Redis released fixed minors 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3 on May 5 to remove CVE-2026-23479, a use-after-free in blocking-client code that can let an authenticated user run arbitrary OS commands on the host.

    Show sources
    Open in new tab
  2. 03.06.2026 16:47 2 articles · 9h ago

    Redis discloses CVE-2026-23479 use-after-free in blocking-client code

    Initial Disclosure

    Redis disclosed CVE-2026-23479 after Team Xint Code found the flaw with an autonomous AI tool and Wiz published a technical exploit write-up. The issue is a use-after-free in blocking-client code that can let an authenticated user run arbitrary OS commands on the host, and Redis said it had no evidence of exploitation in its own or customer environments.

    Show sources
    Open in new tab