CVE-2021-26843
HIGHsthttpd < 2.27.1 - Denial of Service via de_dotdot Function
Title source: llmDescription
An issue was discovered in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can triggered with an HTTP GET request for a crafted filename. NOTE: this is similar to CVE-2017-10671, but occurs in a different part of the de_dotdot function.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/blueness/sthttpd/issues/14
Scores
CVSS v3
7.5
EPSS
0.0144
EPSS Percentile
69.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-119
Status
published
Products (1)
sthttpd_project/sthttpd
< 2.27.1
Published
Feb 07, 2021
Tracked Since
Feb 18, 2026