CVE-2026-21864

Published: Feb 24, 2026

Modified: Feb 26, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Valkey-Bloom is a Rust based Valkey module which brings a Bloom Filter (Module) data type into the Valkey distributed key-value database. Prior to commit a68614b6e3845777d383b3a513cedcc08b3b7ccd, a specially crafted `RESTORE` command can cause Valkey to hit an assertion, causes the server to shutdown. Valkey modules are required to handle errors in RDB parsing by using `VALKEYMODULE_OPTIONS_HANDLE_IO_ERRORS` flag. If this flag is not set, errors encountered during parsing result in a system assertion which shuts down the system. Even though the Valkey-bloom module correctly handled the parsing, it did not originally set the flag. Commit a68614b6e3845777d383b3a513cedcc08b3b7ccd contains a patch. One may mitigate this defect by disabling the `RESTORE` command if it is unused by one's application.

Vendor	Product	Versions
valkey-io	valkey-bloom	affected `< a68614b6e3845777d383b3a513cedcc08b3b7ccd`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/valkey-io/valkey-bloom/security/advisories/GHSA-mc2g-h759-3qw2

x_refsource_CONFIRM

https://github.com/valkey-io/valkey-bloom/commit/a68614b6e3845777d383b3a513cedcc08b3b7ccd

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-21864

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References