CVE-2025-49112: 
Redis vulnerability analysis and mitigation

CVE-2025-49112 affects Valkey through version 8.1.1, specifically in the setDeferredReply function within networking.c. The vulnerability was discovered and disclosed on June 2, 2025. The issue involves an integer underflow vulnerability in the calculation of prev->size - prev->used (NVD).

The vulnerability is classified as an Integer Underflow (CWE-191) with a CVSS v3.1 Base Score of 3.1 (LOW). The attack vector is adjacent network (AV:A) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with no impact to confidentiality (C:N) or integrity (I:N), but low impact to availability (A:L) (NVD).

The integer underflow vulnerability in the setDeferredReply function could potentially affect system availability when exploited by an adjacent network attacker. The low CVSS score indicates limited impact, primarily affecting system availability without compromising confidentiality or integrity (NVD).

A fix has been proposed that involves explicitly checking that prev->used is less than prev->size before performing the subtraction, preventing potential integer underflow. This approach avoids relying on unsigned arithmetic and ensures the logic is clear and robust (GitHub PR).