CVE-2023-28856

Name: CVE-2023-28856
Creator: NVD / NIST
Published: 2023-04-18T21:15:09.313+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 6.5/10EPSS 0.96%

Last modified Jun 17, 2026

CVE-2023-28856 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. EPSS estimates a 0.96% chance of exploitation in the next 30 days.

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

0.96%

57.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Redis	Redis	< 6.0.19
Redis	Redis	>= 6.2.0, < 6.2.12
Redis	Redis	>= 7.0.0, < 7.0.11
Debian	Debian Linux	10.0
Fedoraproject	Fedora	36
Fedoraproject	Fedora	37
Fedoraproject	Fedora	38

References

https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5cPatch
https://github.com/redis/redis/pull/11149Issue Tracking, Patch
https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00023.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20230601-0007/
https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5cPatch
https://github.com/redis/redis/pull/11149Issue Tracking, Patch
https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/04/msg00023.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/Mailing List, Third Party Advisory
https://security.netapp.com/advisory/ntap-20230601-0007/

Timeline

Published: Apr 18, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-28856?

How severe is CVE-2023-28856?

CVE-2023-28856 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.96% probability of exploitation in the next 30 days.

How do I fix CVE-2023-28856?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-28856?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST