Autonomous AI Uncovers 2-Year-Old Redis RCE Flaw (CVE-2026-23479)

Redis has patched a use-after-free vulnerability in its blocking-client code that allows an authenticated user to execute arbitrary OS commands on the host running the database. Tracked as CVE-2026-23479, the flaw was introduced in Redis 7.2.0 and remained in every stable branch until the May 5 fix, undetected for over two years. The bug was reported by Team Xint Code and discovered by an autonomous AI tool purpose-built to hunt vulnerabilities in large codebases. NVD rates the issue 8.8 under CVSS 3.1, while Redis lists it at 7.7 under CVSS 4.0, making it one of the more serious defects the project has shipped in recent memory.

The bug lives in unblockClientOnKey() within src/blocked.c, which fires when a key event wakes a blocked command. The function dispatches the queued command through processCommandAndResetClient() and then continues using the same client pointer, even though that function's own header comment warns it can free the client as a side effect (CWE-416). The flaw took two commits to build: a January 2023 refactor (PR #11012) added the unchecked call, and a March 2023 change (PR #11568) layered additional client access on top. Neither was dangerous alone, but together they shipped in 7.2.0 and survived multiple security reviews. The published exploit chain leaks a heap address via a one-line Lua EVAL, grooms client memory limits to park a bloated client on a stream, then wakes it so Redis frees the blocked client mid-call while a pipelined SET reclaims the slot with a fake client structure. The chain finishes by abusing updateClientMemoryUsage() to perform an out-of-bounds write against the Global Offset Table, repointing strcasecmp() at system() so the next parsed command runs as a shell command.

The cloud footprint amplifies the impact. Wiz's analysis, published alongside the exploit writeup, shows Redis present in a large majority of cloud environments, with most instances running without authentication. While the chain requires an authenticated session, the default user in a default deployment already holds every ACL category the exploit needs, including @admin, @scripting, @stream, and @read/@write. The official Redis Docker image also ships with only partial RELRO, leaving the GOT writable at runtime, and since ASLR and PIE do not protect the relative offset, the final overwrite is straightforward. Security teams should immediately patch to the May 5 release, audit exposed Redis instances, and confirm that strong authentication is enforced. Operators can scan their perimeter for exposed Redis ports with a port scanner, verify that no instances are still using default or empty credentials with a password checker, and run a broader privacy checkup to identify any remaining misconfigurations in their cloud estate.