Bug 2401258 (CVE-2025-46817)

Summary:	CVE-2025-46817 redis: Lua library commands may lead to integer overflow and potential RCE
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	abarbaro, alinfoot, anthomas, aprice, bbrownin, bdettelb, brasmith, caswilli, cochase, dnakabaa, doconnor, dranck, dtrifiro, eglynn, ehelms, ggainey, haoli, hkataria, jajackso, jcammara, jcantril, jchui, jdobes, jhe, jjoyce, jkoehler, jmitchel, jneedle, joehler, jsamir, jschluet, juwatts, jvasik, jwong, kaycoth, kegrant, kgaikwad, koliveir, kshier, ktsao, lcouzens, lhh, lphiri, lsvaty, mabashia, mburns, mgarciac, mhulan, mskarbek, nboldt, nmoumoul, oezr, orabin, osousa, pbraun, pcreech, pgrist, psegedy, psrna, rblanco, rbryant, rchan, rojacob, shvarugh, simaishi, smallamp, smcdonal, stcannon, teagle, tfister, thavo, tmalecek, ttakamiy, vmugicag, weaton, xiaoxwan, yguenane, zzhou
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	An integer overflow present in the Redis Lua scripting engine that allows an authenticated client to submit a specially crafted Lua script (for example via EVAL/EVALSHA) that can trigger memory corruption and potentially lead to remote code execution within the Redis server process.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2414764, 2414765, 2414766, 2414767
Bug Blocks:

Description OSIDB Bzimport 2025-10-03 18:02:06 UTC

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to cause an integer overflow and potentially lead to remote code execution The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2.

Comment 2 errata-xmlrpc 2025-10-21 23:54:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:18931 https://access.redhat.com/errata/RHSA-2025:18931

Comment 3 errata-xmlrpc 2025-10-23 08:28:40 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:18997 https://access.redhat.com/errata/RHSA-2025:18997

Comment 4 errata-xmlrpc 2025-10-23 09:21:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:18996 https://access.redhat.com/errata/RHSA-2025:18996

Comment 5 errata-xmlrpc 2025-10-23 20:23:41 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:19086 https://access.redhat.com/errata/RHSA-2025:19086

Comment 7 errata-xmlrpc 2025-10-29 09:28:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:19238 https://access.redhat.com/errata/RHSA-2025:19238

Comment 8 errata-xmlrpc 2025-10-29 09:34:02 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:19237 https://access.redhat.com/errata/RHSA-2025:19237

Comment 9 errata-xmlrpc 2025-10-29 09:39:09 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:19239 https://access.redhat.com/errata/RHSA-2025:19239

Comment 10 errata-xmlrpc 2025-10-30 10:17:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:19318 https://access.redhat.com/errata/RHSA-2025:19318

Comment 11 errata-xmlrpc 2025-10-30 14:06:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:19345 https://access.redhat.com/errata/RHSA-2025:19345

Comment 12 errata-xmlrpc 2025-11-03 01:36:49 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:19399 https://access.redhat.com/errata/RHSA-2025:19399

Comment 13 errata-xmlrpc 2025-11-04 14:38:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:19675 https://access.redhat.com/errata/RHSA-2025:19675

Comment 14 errata-xmlrpc 2025-11-11 13:50:46 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:20926 https://access.redhat.com/errata/RHSA-2025:20926

Comment 15 errata-xmlrpc 2025-11-11 14:59:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:20955 https://access.redhat.com/errata/RHSA-2025:20955

Comment 16 errata-xmlrpc 2025-11-24 01:59:04 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:21916 https://access.redhat.com/errata/RHSA-2025:21916

Comment 17 errata-xmlrpc 2025-11-24 09:41:32 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21936 https://access.redhat.com/errata/RHSA-2025:21936