Home / mailingsPDF  

[USN-7893-1] Valkey vulnerabilities

Posted on 26 November 2025
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-7893-1
November 26, 2025

valkey vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in Valkey.

Software Description:
- valkey: Persistent key-value database with network interface

Details:

Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Valkey incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Valkey server.
(CVE-2025-49844)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to trigger
a integer overflow condition, and potentially achieve remote code execution
on the Valkey server. (CVE-2025-46817)

It was discovered that Valkey incorrectly handled Lua objects. An
authenticated attacker could possibly use this issue to escalate their
privileges. (CVE-2025-46818)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to read
out-of-bounds memory, causing a denial of service or possibly obtaining
sensitive information. (CVE-2025-46819)

It was discovered that Valkey incorrectly handled memory in some
calculations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2025-49112)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
valkey-server 8.1.4+dfsg1-0ubuntu0.2

Ubuntu 25.04
valkey-server 8.0.6+dfsg1-0ubuntu0.2

Ubuntu 24.04 LTS
valkey-server 7.2.11+dfsg1-0ubuntu0.2

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
https://ubuntu.com/security/notices/USN-7893-1
CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49112,
CVE-2025-49844

Package Information:
https://launchpad.net/ubuntu/+source/valkey/8.1.4+dfsg1-0ubuntu0.2
https://launchpad.net/ubuntu/+source/valkey/8.0.6+dfsg1-0ubuntu0.2
https://launchpad.net/ubuntu/+source/valkey/7.2.11+dfsg1-0ubuntu0.2

--===============1652069309012000551==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :