CVE-2026-21864 – A vulnerability in Valkey-Bloom module allows a... (How to Fix)

Q: What is the severity of CVE-2026-21864?

CVE-2026-21864 has a CVSS score of 6.5 (MEDIUM). A vulnerability in Valkey-Bloom module allows a specially crafted RESTORE command to trigger an assertion failure, causing the Valkey server to shut down. This affects systems running Valkey with the Valkey-Bloom module enabled. The issue occurs because the module didn't set the required error handling flag for RDB parsing.

📋 TL;DR

A vulnerability in Valkey-Bloom module allows a specially crafted RESTORE command to trigger an assertion failure, causing the Valkey server to shut down. This affects systems running Valkey with the Valkey-Bloom module enabled. The issue occurs because the module didn't set the required error handling flag for RDB parsing.

💻 Affected Systems

Products:

Valkey-Bloom module for Valkey

Versions: All versions prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd

Operating Systems: All platforms running Valkey with Valkey-Bloom module

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Valkey-Bloom module loaded and enabled.

📦 What is this software?

Valkey Bloom by Lfprojects

View all CVEs affecting Valkey Bloom →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service through server crash, potentially disrupting dependent applications and services.

🟠

Likely Case

Service disruption through server shutdown when malicious RESTORE commands are processed.

🟢

If Mitigated

Minimal impact if RESTORE command is disabled or module is patched.

🌐 Internet-Facing: MEDIUM - Requires ability to send RESTORE commands to vulnerable server.

🏢 Internal Only: MEDIUM - Internal attackers with access to Valkey could cause service disruption.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to send RESTORE commands to vulnerable Valkey instance.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd

Vendor Advisory: https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2

Restart Required: Yes

Instructions:

1. Update Valkey-Bloom module to version containing commit a68614b6e3845777d383b3a513cedcc08b3b7ccd. 2. Restart Valkey server to load patched module.

🔧 Temporary Workarounds

Disable RESTORE command

all

Prevent exploitation by disabling the RESTORE command if not required by application.

redis-cli CONFIG SET rename-command RESTORE ""

🧯 If You Can't Patch

Disable RESTORE command using Valkey configuration
Implement network controls to restrict access to Valkey RESTORE command

🔍 How to Verify

Check if Vulnerable:

Check if Valkey-Bloom module is loaded and version predates commit a68614b6e3845777d383b3a513cedcc08b3b7ccd.

Check Version:

Check module version via Valkey INFO command or module documentation

Verify Fix Applied:

Verify module version includes commit a68614b6e3845777d383b3a513cedcc08b3b7ccd and test RESTORE command functionality.

📡 Detection & Monitoring

Log Indicators:

Valkey server crash logs
Assertion failure messages related to RDB parsing

Network Indicators:

Multiple RESTORE command attempts to Valkey server

SIEM Query:

Search for 'assertion failed' or 'server shutdown' in Valkey logs following RESTORE commands

📊 Metadata

CVE ID: CVE-2026-21864

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: February 24, 2026

Last Updated: February 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-21864, you might also want to check these: