Security7.2.14May 5, 2026

Redis 7.2.14

Security release addressing three critical vulnerabilities that could lead to remote code execution, plus bug fixes for crashes in subscribe operations, config validation, and script debugging.

Update urgency: SECURITY: There are security fixes in the release.

Security fixes

(CVE-2026-23479) Use-After-Free in unblock client flow may lead to Remote Code Execution.
(CVE-2026-25243) Invalid memory access in RESTORE may lead to Remote Code Execution
(CVE-2026-23631) Lua Use-After-Free may lead to remote code execution

Bug fixes

SUBSCRIBE, PSUBSCRIBE, SSUBSCRIBE: crash on OOM (RED-167788)
CONFIG SET: some settings allow invalid characters (RED-167787)
SCRIPT DEBUG: potential crash on scripts (RED-175507)

securityrcestabilitybug-fixes

Source: original entry ↗