CVE-2021-27135

xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
Affected Products (NVD)
VendorProductVersion
invisible-islandxterm
𝑥
< 366
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
xterm
bookworm
379-1
fixed
bullseye
366-1+deb11u1
fixed
sid
395-1
fixed
trixie
395-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
xterm
bionic
Fixed 330-1ubuntu2.2
released
focal
Fixed 353-1ubuntu1.20.04.2
released
groovy
Fixed 353-1ubuntu1.20.10.2
released
trusty
dne
xenial
Fixed 322-1ubuntu1.2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
xterm-330
suse enterprise desktop 15 SP2
11.3.1
fixed
suse enterprise desktop 15 SP3
11.3.1
fixed
suse enterprise desktop 15 SP4
11.3.1
fixed
suse enterprise desktop 15 SP5
11.3.1
fixed
suse enterprise desktop 15 SP6
11.3.1
fixed
suse enterprise desktop 15 SP7
11.3.1
fixed
suse enterprise sap 15
4.3.1
fixed
suse enterprise sap 15 SP1
4.3.1
fixed
suse enterprise sap 15 SP2
11.3.1
fixed
suse enterprise sap 15 SP3
11.3.1
fixed
suse enterprise sap 15 SP4
11.3.1
fixed
suse enterprise sap 15 SP5
11.3.1
fixed
suse enterprise sap 15 SP6
11.3.1
fixed
suse enterprise sap 15 SP7
11.3.1
fixed
suse enterprise server 15
4.3.1
fixed
suse enterprise server 15 SP1
4.3.1
fixed
suse enterprise server 15 SP2
11.3.1
fixed
suse enterprise server 15 SP3
11.3.1
fixed
suse enterprise server 15 SP4
11.3.1
fixed
suse enterprise server 15 SP5
11.3.1
fixed
suse enterprise server 15 SP6
11.3.1
fixed
suse enterprise server 15 SP7
11.3.1
fixed
xterm-bin-330
suse enterprise desktop 15 SP2
11.3.1
fixed
suse enterprise desktop 15 SP3
11.3.1
fixed
suse enterprise desktop 15 SP4
11.3.1
fixed
suse enterprise desktop 15 SP5
11.3.1
fixed
suse enterprise desktop 15 SP6
11.3.1
fixed
suse enterprise desktop 15 SP7
11.3.1
fixed
suse enterprise sap 15
4.3.1
fixed
suse enterprise sap 15 SP1
4.3.1
fixed
suse enterprise sap 15 SP2
11.3.1
fixed
suse enterprise sap 15 SP3
11.3.1
fixed
suse enterprise sap 15 SP4
11.3.1
fixed
suse enterprise sap 15 SP5
11.3.1
fixed
suse enterprise sap 15 SP6
11.3.1
fixed
suse enterprise sap 15 SP7
11.3.1
fixed
suse enterprise server 15
4.3.1
fixed
suse enterprise server 15 SP1
4.3.1
fixed
suse enterprise server 15 SP2
11.3.1
fixed
suse enterprise server 15 SP3
11.3.1
fixed
suse enterprise server 15 SP4
11.3.1
fixed
suse enterprise server 15 SP5
11.3.1
fixed
suse enterprise server 15 SP6
11.3.1
fixed
suse enterprise server 15 SP7
11.3.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
xterm
RHEL 7
0:295-3.el7_9.1
fixed
RHEL 8
0:331-1.el8_3.2
fixed
RHEL 8.1 E4S
0:331-1.el8_1.1
fixed
RHEL 8.1 EUS
0:331-1.el8_1.1
fixed
RHEL 8.2 AUS
0:331-1.el8_2.1
fixed
RHEL 8.2 E4S
0:331-1.el8_2.1
fixed
RHEL 8.2 EUS
0:331-1.el8_2.1
fixed
RHEL 8.2 TUS
0:331-1.el8_2.1
fixed
xterm-resize
RHEL 8
0:331-1.el8_3.2
fixed
RHEL 8.1 E4S
0:331-1.el8_1.1
fixed
RHEL 8.1 EUS
0:331-1.el8_1.1
fixed
RHEL 8.2 AUS
0:331-1.el8_2.1
fixed
RHEL 8.2 E4S
0:331-1.el8_2.1
fixed
RHEL 8.2 EUS
0:331-1.el8_2.1
fixed
RHEL 8.2 TUS
0:331-1.el8_2.1
fixed
References
http://seclists.org/fulldisclosure/2021/May/52
http://www.openwall.com/lists/oss-security/2021/02/10/7
https://access.redhat.com/security/cve/CVE-2021-27135
https://bugzilla.redhat.com/show_bug.cgi?id=1927559
https://bugzilla.suse.com/show_bug.cgi?id=1182091
https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c
https://invisible-island.net/xterm/xterm.log.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00019.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/
https://news.ycombinator.com/item?id=26524650
https://security.gentoo.org/glsa/202208-22
https://www.openwall.com/lists/oss-security/2021/02/09/7
https://www.openwall.com/lists/oss-security/2021/02/09/9
http://seclists.org/fulldisclosure/2021/May/52
http://www.openwall.com/lists/oss-security/2021/02/10/7
https://access.redhat.com/security/cve/CVE-2021-27135
https://bugzilla.redhat.com/show_bug.cgi?id=1927559
https://bugzilla.suse.com/show_bug.cgi?id=1182091
https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c
https://invisible-island.net/xterm/xterm.log.html
https://lists.debian.org/debian-lts-announce/2021/02/msg00019.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/
https://news.ycombinator.com/item?id=26524650
https://security.gentoo.org/glsa/202208-22
https://www.openwall.com/lists/oss-security/2021/02/09/7
https://www.openwall.com/lists/oss-security/2021/02/09/9