[USN-7893-1] Valkey vulnerabilities

Wed, 26 Nov 2025 06:27:50 -0800 

==========================================================================
Ubuntu Security Notice USN-7893-1
November 26, 2025

valkey vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 25.04
- Ubuntu 24.04 LTS

Summary:

Several security issues were fixed in Valkey.

Software Description:
- valkey: Persistent key-value database with network interface

Details:

Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Valkey incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Valkey server.
(CVE-2025-49844)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to trigger
a integer overflow condition, and potentially achieve remote code execution
on the Valkey server. (CVE-2025-46817)

It was discovered that Valkey incorrectly handled Lua objects. An
authenticated attacker could possibly use this issue to escalate their
privileges. (CVE-2025-46818)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to read
out-of-bounds memory, causing a denial of service or possibly obtaining
sensitive information. (CVE-2025-46819)

It was discovered that Valkey incorrectly handled memory in some
calculations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2025-49112)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
  valkey-server                   8.1.4+dfsg1-0ubuntu0.2

Ubuntu 25.04
  valkey-server                   8.0.6+dfsg1-0ubuntu0.2

Ubuntu 24.04 LTS
  valkey-server                   7.2.11+dfsg1-0ubuntu0.2

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References:
  https://ubuntu.com/security/notices/USN-7893-1
  CVE-2025-46817, CVE-2025-46818, CVE-2025-46819, CVE-2025-49112,
  CVE-2025-49844

Package Information:
  https://launchpad.net/ubuntu/+source/valkey/8.1.4+dfsg1-0ubuntu0.2
  https://launchpad.net/ubuntu/+source/valkey/8.0.6+dfsg1-0ubuntu0.2
  https://launchpad.net/ubuntu/+source/valkey/7.2.11+dfsg1-0ubuntu0.2

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to