Ubuntu
redis package

CVE-2025-32023: Redis allows out of bounds writes in hyperloglog commands leading to RCE

Bug #2141721 reported by Titi Wangsa Damhore
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
redis (Ubuntu)
New
Undecided
Unassigned

Bug Description

https://www.cve.org/CVERecord?id=CVE-2025-32023
https://ubuntu.com/security/CVE-2025-32023

Noble is vulnerable.

This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. I tried to trigger it by installing apt-get install redis-server and running `/usr/bin/redis-server --port 30000`.

There is a poc here: https://github.com/leesh3288/CVE-2025-32023/blob/main/poc.py
I modified it to test make sure we didn't crash redis when input was good.

When using `/usr/bin/redis-server --port 30000`.

```
ubuntu@launchpad:~$ python3 twd425_poc.py
Normal merge should work
Normal merge is good
trigger crash
pfmerge failed - as expected with bad input.
It crashed. Not patched yet!
ubuntu@launchpad:~$
```

After patching and running `./src/redis-server --port 30000`

```
ubuntu@launchpad:~$ python3 twd425_poc.py
Normal merge should work
Normal merge is good
trigger crash
pfmerge failed - as expected with bad input.
It didn't crash. Patched!
ubuntu@launchpad:~$
```

The fix is based on this pull request in July of 2025
https://github.com/redis/redis/pull/14173
The pull request also fixes CVE-2025-48367. I decided not to include the fix for the other CVE as I have not tested it yet.

The official fix for CVE-2025-32023 comes with 2 commits
- c5de37d
- 78d5be1

I only applied c5de37d as that was the minimal change needed to make it work. The other commit, 78d5be1 is to support tcl8.5. Noble comes with tcl8.6 therefore I did not apply the second patch.

Built and tested on noble (multipass vm on aarch64) using
```
DEB_BUILD_OPTIONS=nocheck dpkg-buildpackage -us -uc
./runtest --single unit/hyperloglog
\o/ All tests passed without errors!
```

See original description

CVE References

Revision history for this message
Titi Wangsa Damhore (twd425) wrote :
Revision history for this message
Titi Wangsa Damhore (twd425) wrote :
description: updated
information type: Private Security → Public Security
Revision history for this message
Titi Wangsa Damhore (twd425) wrote :

Additionally, https://ubuntu.com/security/CVE-2025-32023 mentions valkey needs evaluation for noble.
I tested valkey
```
ubuntu@valkey:~$ /usr/bin/valkey-server --version
Server v=7.2.11 sha=00000000:0 malloc=jemalloc-5.3.0 bits=64 build=4db28f08fd498d66
ubuntu@valkey:~$ sha256sum /usr/bin/valkey-server
29d776e69fcd5c1beba27a8c23fae2e6f3c4b14d8b9019facbbae80f550280c2 /usr/bin/valkey-server
ubuntu@valkey:~$
``

Not Vulnerable

```
ubuntu@valkey:~$ python3 twd425_poc.py
Normal merge should work
Normal merge is good
trigger crash
pfmerge failed - as expected with bad input.
It didn't crash. Patched!
```

Revision history for this message
Titi Wangsa Damhore (twd425) wrote (last edit ):

Test result on redis-7.0.15

```
$ ./runtest --single unit/hyperloglog
Cleanup: may take some time... OK
Starting test server at port 21079
[ready]: 476886
Testing unit/hyperloglog
[ready]: 476887
[ready]: 476888
[ready]: 476889
[ready]: 476884
[ready]: 476885
[ready]: 476891
[ready]: 476890
[ready]: 476892
[ready]: 476894
[ready]: 476895
[ready]: 476893
[ready]: 476896
[ready]: 476899
[ready]: 476898
[ready]: 476897
[ok]: HyperLogLog self test passes (336 ms)
[ok]: PFADD without arguments creates an HLL value (1 ms)
[ok]: Approximated cardinality after creation is zero (0 ms)
[ok]: PFADD returns 1 when at least 1 reg was modified (0 ms)
[ok]: PFADD returns 0 when no reg was modified (0 ms)
[ok]: PFADD works with empty string (regression) (0 ms)
[ok]: PFCOUNT returns approximated cardinality of set (0 ms)
[ok]: HyperLogLogs are promote from sparse to dense (243 ms)
[ok]: HyperLogLog sparse encoding stress test (660 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Additional at tail (0 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Broken magic (1 ms)
[ok]: Corrupted sparse HyperLogLogs are detected: Invalid encoding (0 ms)
[ok]: Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with XZERO opcode (21 ms)
[ok]: Corrupted sparse HyperLogLogs doesn't cause overflow and out-of-bounds with ZERO opcode (4988 ms)
[ok]: Corrupted dense HyperLogLogs are detected: Wrong length (3 ms)
[ok]: Fuzzing dense/sparse encoding: Redis should always detect errors (93082 ms)
[ok]: PFADD, PFCOUNT, PFMERGE type checking works (2 ms)
[ok]: PFMERGE results on the cardinality of union of sets (1 ms)
[ok]: PFCOUNT multiple-keys merge returns cardinality of union #1 (3481 ms)
[ok]: PFCOUNT multiple-keys merge returns cardinality of union #2 (1712 ms)
[ok]: PFDEBUG GETREG returns the HyperLogLog raw registers (259 ms)
[ok]: PFADD / PFCOUNT cache invalidation works (2 ms)
[1/1 done]: unit/hyperloglog (105 seconds)

                   The End

Execution time of different units:
  105 seconds - unit/hyperloglog

\o/ All tests passed without errors!

Cleanup: may take some time... OK
```

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Titi,

Could you please fix the debdiff to have version 5:7.0.15-1ubuntu0.24.04.3 and noble-security?

Revision history for this message
Titi Wangsa Damhore (twd425) wrote :

Sorry about that.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.