Alpine: multiple valkey packages: security update to 8.1.7-r0

high Tenable Cloud Security Plugin ID 441637

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Redis is an in-memory data structure store. In redis-server from 7.2.0 until 8.6.3, the unblock client
flow does not handle an error return from `processCommandAndResetClient` when re-executing a blocked
command. If a blocked client is evicted during this flow, an authenticated attacker can trigger a use-
after-free that may lead to remote code execution. This has been patched in version 8.6.3.
(CVE-2026-23479)

- Redis is an in-memory data structure store. In all versions of redis-server with Lua scripting, an
authenticated attacker can exploit the master-replica synchronization mechanism to trigger a use-after-
free on replicas where replica-read-only is disabled or can be disabled, which may lead to remote code
execution. A workaround is to prevent users from executing Lua scripts or avoid using replicas where
replica-read-only is disabled. This is patched in version 8.6.3. (CVE-2026-23631)

- Redis is an in-memory data structure store. In versions of redis-server up to 8.6.3, the RESTORE command
does not properly validate serialized values. An authenticated attacker with permission to execute RESTORE
can supply a crafted serialized payload that triggers invalid memory access and may lead to remote code
execution. A workaround is to restrict access to the RESTORE command with ACL rules. This is patched in
version 8.6.3. (CVE-2026-25243)

Solution

Update the valkey library and its related packages to version 8.1.7-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-23479

https://security.alpinelinux.org/vuln/CVE-2026-23631

https://security.alpinelinux.org/vuln/CVE-2026-25243

Plugin Details

Severity: High

ID: 441637

Version: Revision 1.4

Type: Local

Published: 5/10/2026

Updated: 7/6/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.47

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-25243

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.7

Threat Score: 5.2

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/5/2026

Reference Information

CVE: CVE-2026-23479, CVE-2026-23631, CVE-2026-25243