Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479)

Redis contains a critical authenticated use‑after‑free (CVE‑2026‑23479) in its blocking-client code that allows an attacker with the required ACL privileges to achieve remote code execution by leaking a heap pointer via Lua, freeing and faking a client structure, and corrupting memory to redirect a GOT entry to system(); numerous stable branches were affected until patched on May 5, and the exploit is practical in default deployments (many of which run without passwords and grant the default user needed privileges), though no in‑the‑wild exploitation has been reported.