[Bug 2141721] Re: CVE-2025-32023: Redis allows out of bounds writes in hyperloglog commands leading to RCE

[Titi Wangsa Damhore]

Test result on redis-7.0.15

```
$ ./runtest --single unit/hyperloglog
Cleanup: may take some time... OK
Starting test server at port 21079
[ready]: 476886
Testing unit/hyperloglog
[ready]: 476887
[ready]: 476888
[ready]: 476889
[ready]: 476884
[ready]: 476885
[ready]: 476891
[ready]: 476890
[ready]: 476892
[ready]: 476894
[ready]: 476895
[ready]: 476893
[ready]: 476896
[ready]: 476899
[ready]: 476898
[ready]: 476897
[ok]: HyperLogLog self test passes (336 ms)
[ok]: PFADD without arguments creates an HLL value (1 ms)
[ok]: Approximated cardinality after creation is zero (0 ms)
[ok]: PFADD returns 1 when at least 1 reg was modified (0 ms)
[ok]: PFADD returns 0 when no reg was modified (0 ms)
[ok]: PFADD works with empty string (regression) (0 ms)
[ok]: PFCOUNT returns approximated cardinality of set (0 ms)
[ok]: HyperLogLogs are promote from sparse to dense (243 ms)
[ok]: HyperLogLog sparse encoding stress test (660 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Additional at tail (0 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Broken magic (1 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Invalid encoding (0 ms)
[ok]: Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds 
with XZERO opcode (21 ms)
[ok]: Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds 
with ZERO opcode (4988 ms)
[ok]: Corrupted dense HyperLogLogs are detected: Wrong length (3 ms)
[ok]: Fuzzing dense/sparse encoding: Redis should always detect errors (93082 
ms)
[ok]: PFADD, PFCOUNT, PFMERGE type checking works (2 ms)
[ok]: PFMERGE results on the cardinality of union of sets (1 ms)
[ok]: PFCOUNT multiple-keys merge returns cardinality of union #1 (3481 ms)
[ok]: PFCOUNT multiple-keys merge returns cardinality of union #2 (1712 ms)
[ok]: PFDEBUG GETREG returns the HyperLogLog raw registers (259 ms)
[ok]: PFADD / PFCOUNT cache invalidation works (2 ms)
[1/1 done]: unit/hyperloglog (105 seconds)

                   The End

Execution time of different units:
  105 seconds - unit/hyperloglog

\o/ All tests passed without errors!

Cleanup: may take some time... OK
```

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2141721

Title:
  CVE-2025-32023: Redis allows out of bounds writes in hyperloglog
  commands leading to RCE

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/redis/+bug/2141721/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs