openSUSE-SU-2026:20003-1

Security fixes:
- CVE-2025-49844: Fixed that a Lua script may lead to remote code execution (bsc#1250995)
- CVE-2025-46817: Fixed that a Lua script may lead to integer overflow and potential RCE (bsc#1250995)
- CVE-2025-46818: Fixed that a Lua script can be executed in the context of another user (bsc#1250995)
- CVE-2025-46819: Fixed LUA out-of-bound read (bsc#1250995)
Bug fixes:
- Fix accounting for dual channel RDB bytes in replication stats (#2614)
- Fix EVAL to report unknown error when empty error table is provided (#2229)
- Fix use-after-free when active expiration triggers hashtable to shrink (#2257)
- Fix MEMORY USAGE to account for embedded keys (#2290)
- Fix memory leak when shrinking a hashtable without entries (#2288)
- Prevent potential assertion in active defrag handling large allocations (#2353)
- Prevent bad memory access when NOTOUCH client gets unblocked (#2347)
- Converge divergent shard-id persisted in nodes.conf to primary's shard id (#2174)
- Fix client tracking memory overhead calculation (#2360)
- Fix RDB load per slot memory pre-allocation when loading from RDB snapshot (#2466)
- Don't use AVX2 instructions if the CPU doesn't support it (#2571)
- Fix bug where active defrag may be unable to defrag sparsely filled pages (#2656)

Changes from 8.0.5:

https://github.com/valkey-io/valkey/releases/tag/8.0.5

References

Affected packages

openSUSE:Leap 16.0 / valkey

Package

Name: valkey
Purl: pkg:rpm/opensuse/valkey&distro=openSUSE%20Leap%2016.0

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.6-160000.1.1

Ecosystem specific

{
    "binaries": [
        {
            "valkey-devel": "8.0.6-160000.1.1",
            "valkey": "8.0.6-160000.1.1",
            "valkey-compat-redis": "8.0.6-160000.1.1"
        }
    ]
}

Database specific

source

"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2026:20003-1.json"