megachangelog
Security7.4.9

Redis 7.4.9

Critical security release fixing three remote code execution vulnerabilities in the unblock client flow, RESTORE command, and Lua execution, plus bug fixes for subscribe crash on OOM and config validation issues.

Update urgency: SECURITY: There are security fixes in the release.

Security fixes

  • (CVE-2026-23479) Use-After-Free in unblock client flow may lead to Remote Code Execution.
  • (CVE-2026-25243) Invalid memory access in RESTORE may lead to Remote Code Execution
  • (CVE-2026-23631) Lua Use-After-Free may lead to remote code execution

Bug fixes

  • SUBSCRIBE, PSUBSCRIBE, SSUBSCRIBE: crash on OOM (RED-167788)
  • CONFIG SET: some settings allow invalid characters (RED-167787)
  • SCRIPT DEBUG: potential crash on scripts (RED-175507)
securityrcebug-fixstabilitylua

Source: original entry ↗