CVE-2025-49112: setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.
3.1
CVSS
Description
setDeferredReply in networking.c in Valkey through 8.1.1 has an integer underflow for prev->size - prev->used.
Classification
CVE ID: CVE-2025-49112
CVSS Base Severity: LOW
CVSS Base Score: 3.1
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Problem Types
CWE-191 Integer Underflow (Wrap or Wraparound)Affected Products
Vendor: Valkey
Product: Valkey
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 1.54% (scored less or equal to compared to others)
EPSS Date: 2025-06-05 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-49112https://github.com/valkey-io/valkey/blob/daea05b1e26db29bfd1c033e27f9d519a2f8ccbb/src/networking.c#L886
https://github.com/valkey-io/valkey/pull/2101
https://github.com/redis/redis/blob/994bc96bb1744cb153392fc96bdba43eae56e17f/src/networking.c#L783