Source: redis Version: 5:8.0.6-1 Severity: important Tags: patch security X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The patch debian/patches/0009-CVE-2026-21863.patch was copied verbatim from the Valkey commit. In Valkey those new bounds checks live inside a dedicated function clusterIsValidPacket() that does not exist in Redis, with the convention 0 = invalid, 1 = valid. In Redis the same checks sit inline in clusterProcessPacket(), whose return value has a different meaning: 0 = link was freed, 1 = link is still alive. The Valkey patch's two new exits return 0 on a malformed packet inside clusterIsValidPacket(); no freeClusterLink() is ever called, so the packet is discarded but the link stays alive. Pasted into clusterProcessPacket() unchanged, those return 0 still mitigate the oob-read CVE by returning before the unsafe deref. But now they also tell the caller that the link is gone. clusterReadHandler() then bails out without resetting link->rcvbuf_len, which wedges the link: it stays open but no further packets from that peer can ever be parsed, which is a new remote DoS against cluster traffic. Regards, Aron
