VIR Vulnerability Intelligence Relay

CVE-2016-8339

critical
Published 2016-10-28 · Modified 2026-05-06
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. An out of bounds write vulnerability exists in the handling of the client-output-buffer-limit option during the CONFIG SET command for the Redis data structure store. A crafted CONFIG SET command can lead to an out of bounds write potentially resulting in code execution.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-8339

vendor Authored 2026-05-27

Vendor advisory: talos-cna@cisco.com — https://github.com/antirez/redis/commit/6d9f8e2462fc2c426d48c941edeb78e5df7d2977

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed3:3.2.4-1
debian debianbullseyefixed3:3.2.4-1
debian debianforkyfixed3:3.2.4-1
debian debiansidfixed3:3.2.4-1
debian debiantrixiefixed3:3.2.4-1

Application impact
VendorProductVersionsFixed
redislabsredis3.2.1
redislabsredis3.2.2
redislabsredis3.2.3
redislabsredis3.2.0
redis redisredis3.2.0
redis redisredis3.2.1
redis redisredis3.2.2
redis redisredis3.2.3

References

CWEs

CWE-787

Verify integrity in audit chain (admin only). AS-IS.