valkey

v9.1.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 15d Caching

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

cache database key-value key-value-store nosql redis

+2 more

valkey valkey-client

Summary

AI summary

Updates Security fixes, Bug Fixes, and CVE-2026-23479 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Medium	CVE-2026-23479: Use-After-Free in unblock client flow CVE-2026-23479: Use-After-Free in unblock client flow Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	CVE-2026-25243: Invalid Memory Access in RESTORE command CVE-2026-25243: Invalid Memory Access in RESTORE command Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Security	Medium	CVE-2026-23631: Use-after-free during full sync with yielding Lua/function execution CVE-2026-23631: Use-after-free during full sync with yielding Lua/function execution Source: granite4.1:8b-q6_K@2026-05-19 Confidence: low	—
Feature	Medium	Add cluster bus network traffic usage metric in bytes Add cluster bus network traffic usage metric in bytes Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Performance	Medium	Reduce latency spikes during rehashing via incremental page release Reduce latency spikes during rehashing via incremental page release Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix
Bugfix	Medium	Fix errno propagation on EOF in syncRead and conn->last Fix errno propagation on EOF in syncRead and conn->last Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix GEOSEARCH BYPOLYGON leak on invalid COUNT Fix GEOSEARCH BYPOLYGON leak on invalid COUNT Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Handle NULL pointer in streamTrim listpack delta calculation Handle NULL pointer in streamTrim listpack delta calculation Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Prevent server crash when RDMA benchmark clients disconnect Prevent server crash when RDMA benchmark clients disconnect Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—
Bugfix	Medium	Fix memory leak in valkey-benchmark Fix memory leak in valkey-benchmark Source: granite4.1:8b-q6_K@2026-05-19 Confidence: high	—

Full changelog

Upgrade urgency LOW: This is the first stable release of Valkey 9.1.

Security fixes

(CVE-2026-23479) Use-After-Free in unblock client flow
(CVE-2026-25243) Invalid Memory Access in RESTORE command
(CVE-2026-23631) Use-after-free when full sync occurs during a yielding Lua/function execution

New Features and enhanced behavior

Add cluster bus network traffic usage metric in bytes by @hpatro (#3396)
Reduce latency spikes during rehashing via incremental page release by @chzhoo (#3481)

Bug Fixes

Fix(syncio): Set errno on EOF in syncRead and propagate to conn->last by @abmathur-ie (#3580)
Fix GEOSEARCH BYPOLYGON leak on invalid COUNT by @bandalgomsu (#3568)
Handle NULL pointer in streamTrim listpack delta calculation by @smkher (#3591)
Fixes server crash when RDMA benchmark clients disconnect by @quanyeyang (#3448)
Fix the memory leak in valkey-benchmark by @nmvk (#3643)

Security Fixes

CVE-2026-23479 – Use‑After‑Free in unblock client flow
CVE-2026-25243 – Invalid Memory Access in RESTORE command
CVE-2026-23631 – Use‑after‑free during full sync with yielding Lua/function execution

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track valkey

Get notified when new releases ship.

About valkey

A flexible distributed key-value database that is optimized for caching and other realtime workloads.

All releases →