Releases: valkey-io/valkey
Releases Β· valkey-io/valkey
9.0.3
Valkey 9.0.3
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
- (CVE-2025-67733) RESP Protocol Injection via Lua error_reply
- (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
- (CVE-2026-27623) Reset request type after handling empty requests
Bug fixes
8.1.6
Valkey 8.1.6
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
- (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
- (CVE-2025-67733) RESP Protocol Injection via Lua error_reply
Bug fixes
- Restrict ttl from being negative and avoid crash in import-mode (#2944)
- Fix chained replica crash when doing dual channel replication (#2983)
- Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
- Fix crashing while MODULE UNLOAD when ACL rules reference a module command or subcommand (#3160)
- Fix server assert on ACL LOAD and resetchannels (#3182)
- Fix bug causing no response flush sometimes when IO threads are busy (#3205)
8.0.7
Valkey 8.0.7
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
- (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message
- (CVE-2025-67733) RESP Protocol Injection via Lua error_reply
Bug fixes
- Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
- Fix chained replica crash when doing dual channel replication (#2983)
- Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
- Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
- Fix server assert on ACL LOAD and resetchannels (#3182)
- Fix bug causing no response flush sometimes when IO threads are busy (#3205)
7.2.12
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
- (CVE-2026-21863) Remote DoS with malformed Valkey Cluster bus message (#3249)
- (CVE-2025-67733) RESP Protocol Injection via Lua error_reply (#3249)
Bug fixes
- Fix ltrim should not call signalModifiedKey when no elements are removed (#2787)
- Fix potential infinite loop in clusterNodeGetMaster (#2830)
- Avoids crash during MODULE UNLOAD when ACL rules reference a module command and subcommand (#3160)
Full changelog: 7.2.11...7.2.12
9.0.2
Upgrade urgency HIGH: There are critical bugs that may affect a subset of users.
Bug fixes
- Avoid memory leak of new argv when HEXPIRE commands target only non-exiting fields (#2973)
- Fix HINCRBY and HINCRBYFLOAT to update volatile key tracking (#2974)
- Avoid empty hash object when HSETEX added no fields (#2998)
- Fix case-sensitive check for the FNX and FXX arguments in HSETEX (#3000)
- Prevent assertion in active expiration job after a hash with volatile fields is overwritten (#3003, #3007)
- Fix HRANDFIELD to return null response when no field could be found (#3022)
- Fix HEXPIRE to not delete items when validation rules fail and expiration is in the past (#3023, #3048)
- Fix how hash is handling overriding of expired fields overwrite (#3060)
- HSETEX - Always issue keyspace notifications after validation (#3001)
- Make zero a valid TTL for hash fields during import mode and data loading (#3006)
- Trigger prepareCommand on argc change in module command filters (#2945)
- Restrict TTL from being negative and avoid crash in import-mode (#2944)
- Fix chained replica crash when doing dual channel replication (#2983)
- Skip slot cache optimization for AOF client to prevent key duplication and data corruption (#3004)
- Fix used_memory_dataset underflow due to miscalculated used_memory_overhead (#3005)
- Avoid duplicate calculations of network-bytes-out in slot stats with copy-avoidance (#3046)
- Fix XREAD returning error on empty stream with + ID (#2742)
Performance/Efficiency Improvements
- Track reply bytes in I/O threads if commandlog-reply-larger-than is -1 (#3086, #3126).
This makes it possible to mitigate a performance regression in 9.0.1 caused by the bug fix #2652.
Full Changelog: 9.0.1...9.0.2
9.0.1
Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.
Bug fixes
- Authenticate slot migration client on source node to internal user (#2785)
- Bug fix: reset io_last_written on c->buf resize to prevent stale pointers (#2786)
- Sentinel: fix regression requiring "+failover" ACL in failover path (#2780)
- Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
- Send duplicate multi meet packet only for node which supports it in mixed clusters (#2840)
- Fix: LTRIM should not call signalModifiedKey when no elements are removed (#2787)
- Fix build on some 32-bit ARM by only using NEON on AArch64 (#2873)
- Fix deadlock in IO-thread shutdown during panic (#2898)
- Fix COMMANDLOG large-reply when using reply copy avoidance (#2652)
- Fix CLUSTER SLOTS crash when called from module timer callback (#2915)
Full Changelog: 9.0.0...9.0.1
8.1.5
Upgrade urgency MODERATE: Program an upgrade of the server, but it's not urgent.
Bug fixes
- Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826)
- Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)
- Cluster: Avoid usage of light weight messages to nodes with not ready bidirectional links (#2817)
- Send duplicate multi meet packet only for node which supports it (#2840)
- Fix loading AOF files from future Valkey versions (#2899)
Full Changelog: 8.1.4...8.1.5
9.0.0
Valkey 9.0.0 GA - October 21, 2025
Upgrade urgency LOW: This is the first release of Valkey 9.0 which
includes stability, bug fixes, and incremental improvements over the third release candidate.
Bug fixes
- HSETEX with FXX should not create an object if it does not exist (#2716)
- Fix crash when aborting a slot migration while child snapshot is active (#2721)
- Fix double MOVED reply on unblock at failover (#2734)
- Fix memory leak with CLIENT LIST/KILL duplicate filters (#2362)
- Fix incorrect accounting after completed atomic slot migration (#2749)
- Fix Lua VM crash after FUNCTION FLUSH ASYNC + FUNCTION LOAD (#1826, #2750)
- Fix invalid memory address caused by hashtable shrinking during safe iteration (#2753)
For a high level overview of the release, you can checkout release blog
For the full set of changes for the releases, please review the previous release candidates rc1, rc2 and rc3.
9.0.0-rc3
Upgrade urgency LOW: This is the third release candidate of Valkey 9.0.0,
focused on stability, bug fixes, and incremental improvements.
Security fixes
- (CVE-2025-49844) A Lua script may lead to remote code execution
- (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
- (CVE-2025-46818) A Lua script can be executed in the context of another user
- (CVE-2025-46819) LUA out-of-bound read
Performance/Efficiency
- Optimize skiplist random level generation logic (#2631)
Cluster and Replication
- Redirect blocked clients after failover (#2329)
- Prevent exposure of importing keys on replicas during atomic slot migration (#2635)
- Add slot migration client flags and module context flags (#2639)
- Introduce SYNCSLOTS CAPA for forwards compatibility (#2688)
Bug Fixes
- Fix atomic slot migration snapshot never proceeding with hz 1 (#2636)
- Defrag if slab 1/8 full to fix defrag didn't stop issue (#2656)
- Fix module key memory usage accounting (#2661)
- Fix dual rdb channel connection error log (#2658)
Commands
- Implement a lolwut for version 9 (#2646)
8.1.4
Valkey 8.1.4
Upgrade urgency SECURITY: This release includes security fixes we recommend you
apply as soon as possible.
Security fixes
- (CVE-2025-49844) A Lua script may lead to remote code execution
- (CVE-2025-46817) A Lua script may lead to integer overflow and potential RCE
- (CVE-2025-46818) A Lua script can be executed in the context of another user
- (CVE-2025-46819) LUA out-of-bound read
Bug fixes
- Fix accounting for dual channel RDB bytes in replication stats (#2614)
- Fix EVAL to report unknown error when empty error table is provided (#2229)
- Fix use-after-free when active expiration triggers hashtable to shrink (#2257)
- Fix MEMORY USAGE to account for embedded keys (#2290)
- Fix memory leak when shrinking a hashtable without entries (#2288)
- Prevent potential assertion in active defrag handling large allocations (#2353)
- Prevent bad memory access when NOTOUCH client gets unblocked (#2347)
- Converge divergent shard-id persisted in nodes.conf to primary's shard id (#2174)
- Fix client tracking memory overhead calculation (#2360)
- Fix RDB load per slot memory pre-allocation when loading from RDB snapshot (#2466)
- Don't use AVX2 instructions if the CPU doesn't support it (#2571)
- Fix bug where active defrag may be unable to defrag sparsely filled pages (#2656)
Full Changelog: 8.1.3...8.1.4