CVE-2025-67733
A flaw in the Lua scripting error path allowed an authenticated user
to embed CR/LF byte sequences in an error reply produced via
redis.error_reply() or the Lua error() function. Because RESP uses
CRLF as a frame delimiter, an injected sequence could be interpreted
by the client as the start of an unrelated reply, allowing an
attacker to inject arbitrary content into the response stream and
tamper with data read by other commands on the same connection.
CVE-2026-21863
The cluster bus packet validation in clusterProcessPacket() did not
verify that the gossip-section count and per-extension header
declared by an incoming PING, PONG or MEET message actually fit
within the received packet. A peer with access to the cluster bus
port could send a specially crafted message whose declared lengths
exceed the packet size, causing the server to read out of bounds and
potentially crash, resulting in a denial of service.
For the oldstable di…
