Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
CVE-2021-32628
This high-severity CVE scores 7.5 under NVD CVSS v3. EPSS exploit probability: 0.6%, top 31% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- High severity, but no confirmed exploitation yet
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 7.5(medium)
- EPSS
- 88.2%
- KEV
- Not listed
Published
October 4, 2021
Last Modified
November 21, 2024
References (18)
- security-advisories@githubhttps://github.com/redis/redis/commit/f6a40570fa63d5afdd596c78083d754081d80ae3
- security-advisories@githubhttps://github.com/redis/redis/security/advisories/GHSA-vw22-qm3h-49pr
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
- security-advisories@githubhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
- security-advisories@githubhttps://security.gentoo.org/glsa/202209-17
- security-advisories@githubhttps://security.netapp.com/advisory/ntap-20211104-0003/
- security-advisories@githubhttps://www.debian.org/security/2021/dsa-5001
- security-advisories@githubhttps://www.oracle.com/security-alerts/cpuapr2022.html
- af854a3a-2127-422b-91ae-364da2661108https://github.com/redis/redis/commit/f6a40570fa63d5afdd596c78083d754081d80ae3
- af854a3a-2127-422b-91ae-364da2661108https://github.com/redis/redis/security/advisories/GHSA-vw22-qm3h-49pr
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
- af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
- af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202209-17
Vendor Advisories for CVE-2021-32628(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(9)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Microsoft MSRCCVE-2021-326282021-10-14
Vulnerability in handling large ziplists
- Red HatRHSA-2021:3918IMPORTANT2021-10-04
RHSA-2021:3918 — Important
- Red HatRHSA-2021:3925IMPORTANT2021-10-04
RHSA-2021:3925 — Important
- Red HatRHSA-2021:3944IMPORTANT2021-10-04
RHSA-2021:3944 — Important
- Red HatRHSA-2021:3945IMPORTANT2021-10-04
RHSA-2021:3945 — Important
- Red HatRHSA-2021:3946IMPORTANT2021-10-04
RHSA-2021:3946 — Important
- Red HatRHSA-2021:3971IMPORTANT2021-10-04
RHSA-2021:3971 — Important
- Red HatRHSA-2021:3980IMPORTANT2021-10-04
RHSA-2021:3980 — Important
- UbuntuUSN-5221-1MEDIUM
Redis vulnerabilities
Frequently asked(5)
What is CVE-2021-32628?
When was CVE-2021-32628 disclosed?
Is CVE-2021-32628 actively exploited?
What is the CVSS score of CVE-2021-32628?
How do I remediate CVE-2021-32628?
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2021-32628
Is Your Infrastructure Affected by CVE-2021-32628?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.