CVE-2025-26413

Improper Input Validation vulnerability in Apache Kvrocks.

The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index
of a string. So it will cause the server to crash due to its index is out of range.
This issue affects Apache Kvrocks: through 2.11.1.

Users are recommended to upgrade to version 2.12.0, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
apachekvrocks
𝑥
< 2.12.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://lists.apache.org/thread/388743qrr8yq8qm0go8tls6rf1kog8dw
http://www.openwall.com/lists/oss-security/2025/04/22/1