How is CVE-2026-46752 exploited?

Network reachability (required): The vulnerability is reachable over the network (AV:N); an attacker must be able to send commands to the exposed Kvrocks service endpoint. Authentication (not-required): No credentials or account are needed (PR:N); any unauthenticated client that can reach the service can trigger the overflow. Victim interaction (not-required): No user action is needed (UI:N); the attacker triggers the overflow entirely through their own requests to the service. Attack complexity (info): Attack complexity is low (AC:L); the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-46752?

An attacker can read arbitrary memory from the Kvrocks process, exposing stored keys, values, session data, and any secrets held in memory. An attacker can write to arbitrary memory locations, modifying persisted data structures and injecting malicious content into the database. The affected Kvrocks service can be crashed or rendered unresponsive, causing a full denial of service for dependent applications. Because both system confidentiality and system integrity are rated High (SC:H, SI:H, SA:H), compromise extends beyond the Kvrocks process itself to other services or infrastructure sharing the same host or network segment.

Back to search

CRITICALCVE-2026-46752Published 2026-06-25Modified 2026-06-25CNA apache

CVE-2026-46752: Apache Kvrocks: Stack buffer overflow in Lua bit.tohex()

Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.

CVSS v4.0: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A heap-based buffer overflow exists in the Lua cjson library embedded in Apache Kvrocks, affecting versions 2.0.4 through 2.15.0. The vulnerability is reachable over the network with no authentication required, making it exploitable by any client that can send commands to the Kvrocks service. Successful exploitation gives an attacker full read, write, and availability impact over both the affected service and any systems it can reach. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-46752 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache Kvrocks. Any image running an affected version (2.0.4 through 2.15.0) is flagged automatically in both registry scans and pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its full CVSS v4.0 severity of 10.0 (Critical) and weighting it against each customer environment's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated version of Apache Kvrocks is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention once the fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network (AV:N); an attacker must be able to send commands to the exposed Kvrocks service endpoint.
AuthenticationNot required
No credentials or account are needed (PR:N); any unauthenticated client that can reach the service can trigger the overflow.
Victim interactionNot required
No user action is needed (UI:N); the attacker triggers the overflow entirely through their own requests to the service.
Attack complexityDetail
Attack complexity is low (AC:L); the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

An attacker can read arbitrary memory from the Kvrocks process, exposing stored keys, values, session data, and any secrets held in memory.
An attacker can write to arbitrary memory locations, modifying persisted data structures and injecting malicious content into the database.
The affected Kvrocks service can be crashed or rendered unresponsive, causing a full denial of service for dependent applications.
Because both system confidentiality and system integrity are rated High (SC:H, SI:H, SA:H), compromise extends beyond the Kvrocks process itself to other services or infrastructure sharing the same host or network segment.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-46752 at this time, HarborGuard continuously monitors the Apache Kvrocks advisory on every ingest cycle and will trigger a patched-image rebuild the moment version 2.16.0 or a subsequent fix release is confirmed upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against all affected workloads. In the interim, compensating controls worth considering include isolating Kvrocks instances behind strict network policy (blocking unauthenticated external access to the Kvrocks port), applying egress filtering to limit lateral movement if the service is compromised, and disabling Lua scripting at the application layer if the feature is not actively required. HarborGuard will surface the patched rebuild to affected environments without requiring manual re-scanning once the fix is available.

See how HarborGuard automates this

Affected packages

Apache Software Foundation / Apache Kvrocks
≤ 2.15.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

lists.apache.org

Metrics

Get notified