USN-7893-1: Valkey vulnerabilities

USN-7893-1: Valkey vulnerabilities

Publication date: 26 November 2025
Overview: Several security issues were fixed in Valkey.

Packages
valkey - Persistent key-value database with network interface

Details
Benny Isaacs, Nir Brakha, and Sagi Tzadik discovered that Valkey incorrectly
handled memory when running Lua scripts. An authenticated attacker could
use this vulnerability to trigger a use-after-free condition, and
potentially achieve remote code execution on the Valkey server.
(CVE-2025-49844)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to trigger
a integer overflow condition, and potentially achieve remote code execution
on the Valkey server. (CVE-2025-46817)

It was discovered that Valkey incorrectly handled Lua objects. An
authenticated attacker could possibly use this issue to escalate their
privileges. (CVE-2025-46818)

It was discovered that Valkey incorrectly handled memory when running Lua
scripts. An authenticated attacker could use this vulnerability to read
out-of-bounds memory, causing a denial of service or possibly obtaining
sensitive information. (CVE-2025-46819)

It was discovered that Valkey incorrectly handled memory in some
calculations. An attacker could possibly use this issue to cause a denial
of service. (CVE-2025-49112)

Update instructions
This update uses a new upstream release, which includes additional bug fixes. In general, a standard system update will make all the necessary changes.
The problem can be corrected by updating your system to the following package versions:

• 25.10 questing valkey-server – 8.1.4+dfsg1-0ubuntu0.2
• 25.04 plucky valkey-server – 8.0.6+dfsg1-0ubuntu0.2
• 24.04 LTS noble valkey-server – 7.2.11+dfsg1-0ubuntu0.2