Exploit for Use After Free in Redis CVE-2026-23479

Name: Exploit for Use After Free in Redis CVE-2026-23479
Rating: 5 (7 reviews)
2026-06-04 | CVSS 8.8
## https://sploitus.com/exploit?id=6E4DFF81-901D-53B8-8FDF-518F2A170A08
# redis-cve-2026-23479-check

A **safe, read-only** version checker for **CVE-2026-23479** — the use-after-free in Redis's blocking-client code that lets an *authenticated* user reach remote code execution on the host.

> **It does not exploit the bug.** It connects, optionally authenticates, runs a single read-only `INFO server`, parses the version, and compares it to the fixed-release list. It never sends a blocking command and never touches the vulnerable code path. Use it only against instances you own or are explicitly authorized to test.

## Why this matters

"Authenticated" sounds reassuring until you remember how Redis actually ships: for years the default was **no password**, and even now it's the trusted cache/queue/session box that **nobody firewalls internally**. An authenticated RCE on a component every app server can already reach, on a flat network, is a lateral-movement superhighway. And as of this writing there is **no public PoC** — which means you're *left of the boom*. That's the cheapest place a defender ever gets to stand. Use it: find your exposed instances and patch before the exploit lands.

## The bug

- **CVE-2026-23479** · use-after-free in blocking-client handling. When a blocked client is evicted while re-executing a blocked command, an authenticated user can trigger a UAF → potential RCE.
- **Introduced:** Redis 7.2.0. Present in every stable branch until the **2026-05-05** fixes.
- **CVSS:** 8.8 (NVD, CVSS 3.1) · 7.7 (Redis, CVSS 4.0).
- **Fixed in:** `6.2.22`, `7.2.14`, `7.4.9`, `8.2.6`, `8.4.3`, `8.6.3`.

## Usage

No dependencies — just Python 3.

```
python3 check.py  [-p PORT] [-a PASSWORD] [--user ACL_USER] [--tls] [--insecure]
```

Examples:

```
python3 check.py 127.0.0.1
python3 check.py redis.internal -p 6380 -a "$REDIS_PASSWORD"
python3 check.py redis.example.com --tls            # cert verified by default
python3 check.py redis.internal --tls --insecure    # self-signed internal cert (opt-in)
```

Exit code is **0** when patched/unaffected and **1** when action is needed (vulnerable / verify), so it drops straight into CI:

```
python3 check.py "$REDIS_HOST" -a "$REDIS_PASSWORD" || echo "::warning::Redis needs the CVE-2026-23479 patch"
```

## If it says VULNERABLE

1. Upgrade to the fixed release for your branch (above).
2. On anything you can't patch immediately: **require auth** and rotate the password, and **put the Redis port behind network policy** so only the services that need it can reach it — not the whole VLAN. If an attacker can't reach the port and can't authenticate, an authenticated UAF is a bug they can't touch.

## Detecting exploitation

See [`detection/redis-cve-2026-23479.sigma.yml`](detection/redis-cve-2026-23479.sigma.yml) — a host-based Sigma rule that catches the **outcome** of any Redis RCE (the `redis-server` process spawning a shell or unexpected child), which is far more robust than trying to fingerprint the exact exploit packets.

---

Powered by **DugganUSA** threat intelligence — 1M+ IOCs, STIX 2.1 feed, free tier.
[analytics.dugganusa.com](https://analytics.dugganusa.com/stix/register) · we ship the shield, not the sword.