Description
tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://sourceforge.net/p/atftp/code/ci/d255bf90834fb45be52decf9bc0b4fb46c90f205/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-41054
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00014.html
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
65.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-120
Status
published
Products (2)
atftp_project/atftp
< 0.7.4
debian/debian_linux
9.0
Published
Sep 13, 2021
Tracked Since
Feb 18, 2026