In May 2026, a critical vulnerability named DarkReplica (CVE-2026-23631) was addressed by Redis developers. This flaw permitted attackers to take complete control of a server hosting Redis by exploiting a post-authentication remote code execution (RCE) vulnerability.
Understanding Redis’s Lua Engines
Redis offers robust server-side Lua engines, which empower administrators to execute custom logic directly within the database. There are two primary engines: an older scripting engine and a newer functions engine. The latter allows for library storage and synchronization across nodes.
DarkReplica specifically targets the functions engine during the replication phase. Attackers with authentication credentials can command a Redis instance to replicate from an attacker-controlled master using the SLAVEOF command. This leads the server to load a new function context from an incoming Redis dump (RDB) file during synchronization.
Exploitation Mechanics of the RCE Vulnerability
This vulnerability was uncovered during a 2025 research initiative by ZeroDay.Cloud, showcasing how intricate features and unexpected interactions could lead to severe security risks. Redis manages long-running Lua functions by yielding periodically to process events, which is how the FUNCTION KILL command operates.
However, while a slow function is paused, replication events can be processed, creating a loophole. The replication handler inadvertently frees the running Lua engine and replaces it with a new context, without preventing the paused function from resuming. This results in a use-after-free condition.
Patch Implementation and Future Recommendations
Exploiting this condition, while complex, is feasible. Researchers have developed methods to leak heap addresses, enforce deterministic heap allocations, and fabricate Lua objects. By executing vulnerable code within coroutines and manipulating the Lua memory arena, they regained control over the Lua VM, eventually achieving full RCE on the host.
The vulnerability impacted various maintained Redis release series, which were patched on May 5, 2026, covering versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x. Operators are urged to upgrade to these fixed versions and thoroughly audit exposed instances.
Because exploitation requires authentication and advanced memory manipulation, the highest risk exists for poorly configured servers with weak or no credentials, or where attackers can acquire valid credentials. This incident underscores the importance of robust authentication and network controls, along with vigilant monitoring of any unexpected configuration changes.
Detailed technical write-ups and exploits have been published by researchers, while vendors and cloud security tools are now providing advisories to detect affected installations.
