Redis: Security Patches and Release Candidate 8.8 RC1
Redis merged critical security fixes addressing three CVEs including remote code execution vulnerabilities, while releasing version 8.8 RC1 and temporarily disabling the GCRA rate limiting feature.
Duration: PT0S
Transcript
Good morning. This is your Redis development briefing for May 15th, 2026.
YaacovHazan merged a major security update addressing multiple critical vulnerabilities. The patch fixes CVE-2026-23479, a use-after-free bug in the unblock client flow that could lead to remote code execution. It also resolves CVE-2026-25243, an invalid memory access issue in the RESTORE command, and CVE-2026-23631, a Lua use-after-free vulnerability. Additional fixes include crashes in SUBSCRIBE commands during out-of-memory conditions and validation improvements for CONFIG SET operations.
The same author also merged Redis 8.8 RC1, a substantial release candidate spanning over 26,000 lines of changes across 167 files. This update includes GitHub Actions workflow improvements and dependency updates.
Mincho Paskalev merged a change to disable the GCRA rate limiting algorithm that was previously introduced. The feature remains in the codebase but is now inaccessible, with commands disabled and AOF/RDB operations turned off, pending a final decision on its inclusion.
Several module updates were integrated. Tom Gabsow updated data type modules to RC1 versions, including RedisJSON 8.7.91 with array command fixes and RedisBloom 8.7.91 with various bug fixes. Omer Shadmi updated RediSearch to version 8.7.91.
Infrastructure improvements include removing an unused post-release automation workflow and fixing compatibility issues with cluster-announce-ip hostname validation.
What's next: Teams will likely focus on testing the 8.8 RC1 release candidate and monitoring the impact of the security patches. A decision on the GCRA rate limiting feature's future inclusion is still pending.
That's your Redis update for today. Stay secure.