Critical Redis RCE Vulnerability: Attackers Seize Host

In May 2026, Redis developers addressed a critical post-authentication remote code execution (RCE) vulnerability, designated DarkReplica (CVE-2026-23631). This flaw allowed attackers to gain full control of a Redis host.

Redis provides powerful server-side Lua engines, allowing administrators to run custom logic directly in the database.

There are two such engines: the older scripting engine and the newer functions engine, which stores libraries and synchronizes them between nodes.

DarkReplica targets the functions engine during replication. An attacker who can authenticate to a Redis instance can instruct that server to become a replica of an attacker-controlled master using the SLAVEOF command.

When the replica synchronizes, the server may load a new function context from the incoming RDB (Redis dump) file.

Redis RCE Vulnerability

The issue was discovered during a ZeroDay.Cloud 2025 research effort and demonstrated how complex features and unexpected interactions can lead to critical risks.

Redis handles long-running Lua functions by periodically yielding to process events this is how FUNCTION KILL works.

But processing replication events while a slow function is paused opens a loophole: the replication handler frees the running Lua engine and replaces it with a new context without preventing the paused function from resuming.

The paused function then continues executing with its lua_State and related objects freed, producing a use-after-free condition.

Exploiting that condition is complex but practical. Researchers built primitives to leak heap addresses, force deterministic heap allocations, and create fake Lua objects.

By running the vulnerable code inside coroutines and carefully spraying the Lua memory arena, they regained control of the Lua VM and produced read/write primitives.

From there, they redirected internal function pointers to call libc functions. They ultimately invoked system commands, achieving full remote code execution on the host.

The vulnerability impacted many maintained Redis release series and was patched on May 5, 2026, across versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x.

Operators must upgrade to fixed releases immediately and audit exposed Redis instances.

Because exploitation requires authentication and advanced memory work, risk is highest for misconfigured servers that allow weak or no credentials, or for environments where attackers can obtain valid credentials.

The incident highlights that complex in-process scripting and replication features increase the attack surface, underscoring the importance of careful synchronization and lifecycle management.

Users should update Redis, enforce strong authentication and network controls, and monitor for unexpected changes to agent configuration or functionality.

The researcher published the full technical write-up and exploit. Vendors and cloud security tools now offer advisories to detect affected installations.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.