CVE-2021-27135

CRITICAL

xterm < 366 - Remote Code Execution via UTF-8 Combining Character Sequence

Title source: llm
STIX 2.1

Description

xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

References (13)

Core 13
Core References
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2021/02/09/7
Mailing List, Third Party Advisory x_refsource_misc
https://www.openwall.com/lists/oss-security/2021/02/09/9
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2021/02/10/7
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/02/msg00019.html
Issue Tracking, Third Party Advisory x_refsource_misc
https://news.ycombinator.com/item?id=26524650
Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/CVE-2021-27135
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1927559
Release Notes, Vendor Advisory x_refsource_confirm
https://invisible-island.net/xterm/xterm.log.html
Issue Tracking x_refsource_confirm
https://bugzilla.suse.com/show_bug.cgi?id=1182091
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2021/May/52
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202208-22

Scores

CVSS v3 9.8
EPSS 0.0754
EPSS Percentile 93.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (3)
debian/debian_linux 9.0
fedoraproject/fedora 33
invisible-island/xterm < 366
Published Feb 10, 2021
Tracked Since Feb 18, 2026