thehackernews.com via Reddit

Theori AI Finds 2-Year-Old Critical Redis RCE

cybersecurity open source security vulnerabilities

Key insights

  • CVE-2026-23479, scored 8.8 on CVSS 3.1, was created by two individually harmless Redis commits from January and March 2023 that became dangerous in combination.
  • Theori's autonomous AI tool Xint Code, built for large codebase analysis and shown at ZeroDay.Cloud 2025, identified the flaw in Redis's blocking-client code.
  • Patches covering five active Redis branches (7.2.14 through 8.6.3) are available, but many cloud Redis deployments run without password authentication.

Why this matters

The discovery demonstrates that AI-driven vulnerability research can reliably catch compositional bugs, where two individually safe commits combine into a critical flaw, that human reviewers consistently miss across multi-year timescales in widely-deployed infrastructure. Redis is foundational to most cloud environments, and because many instances run without password authentication, an 8.8 CVSS authenticated exploit carries outsized real-world blast radius beyond what the access requirement implies. For security teams and technical leaders, Xint Code's public demonstration at ZeroDay.Cloud 2025 signals that autonomous code analysis has moved from research concept to production-grade auditing of critical open-source dependencies.

Summary

Theori's Xint Code found CVE-2026-23479, a use-after-free in Redis 7.2.0+ that sat undetected for over two years. The CVSS 3.1 score is 8.8 (CVSS 4.0: 7.7). The bug traces to two pull requests merged in early 2023 (PR #11012 in January and PR #11568 in March), neither dangerous alone but critical in combination. The flaw is in the unblockClientOnKey() function in src/blocked.c. An authenticated attacker chains three stages: heap address leak via Lua script, memory grooming with fake client injection, and function pointer overwrite through Redis's own memory accounting mechanisms. Essentially: (Theori, Redis) an AI security tool caught a compositional flaw that years of human code review missed. - Xint Code is built to hunt bugs in large codebases and was demonstrated at ZeroDay.Cloud 2025 - Patches are available across five branches: 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3 - Redis runs in most cloud environments, and many instances lack password authentication The authentication requirement offers thinner protection than it appears when the typical cloud Redis deployment has no password at all.

Potential risks and opportunities

Risks

  • Organizations running unpatched Redis across any of the five affected branches (7.2.x through 8.6.x) face active exploitation risk now that the full three-stage exploit chain is publicly documented
  • Redis deployments without password authentication, which the article identifies as common in cloud environments, provide no first-layer defense against an exploit that nominally requires authentication
  • Well-resourced threat actors with access to AI-driven code analysis comparable to Xint Code could use similar methods to quietly stockpile zero-days in high-deployment infrastructure ahead of coordinated public disclosure

Opportunities

  • Theori can use the Redis CVE-2026-23479 find as a commercial proof point for Xint Code, targeting enterprise security teams that depend on large open-source infrastructure and need continuous automated auditing
  • AI-native security vendors building autonomous vulnerability research tools gain a high-profile case study validating the category, with ZeroDay.Cloud emerging as a dedicated disclosure venue for AI-discovered bugs
  • Managed cloud providers that auto-patch Redis dependencies can position CVE-2026-23479 as concrete evidence for the security value of managed-over-self-hosted deployments, especially where password-free configurations are the norm

What we don't know yet

  • Coordinated disclosure timeline: when Theori first notified Redis maintainers and whether a disclosure embargo was in place before the full exploit chain became public
  • Whether managed cloud Redis services automatically applied the five branch patches or require explicit operator action, given the prevalence of password-free deployments
  • What other widely-deployed open-source projects Theori has already run Xint Code against, and whether additional CVEs from that analysis are pending disclosure

Originally reported by thehackernews.com

Read the original article →

Original headline: Autonomous AI Security Tool Exposes 2-Year-Old Critical RCE in Redis — CVE-2026-23479 Full Exploit Chain Now Public