CVE-2021-27135
- Source
- https://cve.org/CVERecord?id=CVE-2021-27135
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27135.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-27135
- Downstream
- Related
- Published
- 2021-02-10T16:15:13.787Z
- Modified
- 2026-03-15T22:40:41.700009Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/
- https://security.gentoo.org/glsa/202208-22
- https://www.openwall.com/lists/oss-security/2021/02/09/7
- http://seclists.org/fulldisclosure/2021/May/52
- http://www.openwall.com/lists/oss-security/2021/02/10/7
- https://access.redhat.com/security/cve/CVE-2021-27135
- https://invisible-island.net/xterm/xterm.log.html
- https://www.openwall.com/lists/oss-security/2021/02/09/9
- https://lists.debian.org/debian-lts-announce/2021/02/msg00019.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1927559
- https://bugzilla.suse.com/show_bug.cgi?id=1182091
- https://news.ycombinator.com/item?id=26524650
- https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c
Affected packages
Git / github.com/ThomasDickey/xterm-snapshots
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ThomasDickey/xterm-snapshots
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Database specific
{ "versions": [ { "introduced": "0" }, { "fixed": "366" } ] }
- Type
- GIT
- Repo
- https://github.com/thomasdickey/xterm-snapshots
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27135.json"
vanir_signatures
[
{
"id": "CVE-2021-27135-223fd415",
"signature_type": "Line",
"digest": {
"line_hashes": [
"226705682114956398685846114735549955514",
"284728283629381026560432301225281944672",
"241608671915037702564816113690035224637",
"323570788994934141974789437038625720627"
],
"threshold": 0.9
},
"target": {
"file": "Tekproc.c"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-442b682a",
"signature_type": "Function",
"digest": {
"function_hash": "127070465904715510616392304427124691562",
"length": 5505.0
},
"target": {
"file": "misc.c",
"function": "do_osc"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-471317cc",
"signature_type": "Line",
"digest": {
"line_hashes": [
"280709191846888646550698681540738961659",
"226705682114956398685846114735549955514",
"252451151152915977382280230916467996104",
"10135954149745406975362795339274391879",
"277590772243710789756231888917625886159",
"174385177254667704275054183006727246373",
"53974488310248005238152084537436460795",
"173589553026532778298841178527036107948",
"245376495834198285527382064015999749958",
"173086633510014195517003102476589093628",
"126134250880498267035722584537690813561",
"246935202716737391353200169750233309647",
"25488849075141521268775484257805824636",
"142483252976579474851934010566698720908",
"139861737739641820012893465514109610676",
"35336434664662403871308513023694792412",
"336722215932442192283583105186864187245",
"42610278977366364618731082774493205441",
"173935868830782842580687563221739320419",
"132646632278475381123183588689971022165",
"35528415697002637027048522596005520673",
"163896385807631309978555388515950618758",
"270749469705006858191819603330399319679",
"251086218256038773859123398299384091817",
"327814840434038343724647610298853355992",
"125318047365383961727906368687703028462",
"89364007982166668024592249696500602280",
"76345595754548076663452169411992688972",
"142237196402299753189105093320171887227",
"112462427709371277111883341953802868737",
"251751322705141133425265816393336719150",
"44181428827550637318129757331949376420",
"138583554742635123225587885490227240973",
"296347859757246977399321637291842699382",
"331112228688638702530361708818265249764",
"44804556427582153993162990961399443689",
"255075705172259867202060680002642899053",
"242201102045282095816070014016665359051",
"161504014374521074827468553238823683406",
"62167224929021692133398291641577335640",
"97792576252762103858176673296455761552",
"188518386540423457082943321359692898803",
"4010030047529690650657161002237509387",
"170429844822433222019863638475692183976",
"265642429328231205355322352150396228864",
"566120155691844787083730886144405939",
"318781887252173086121049918804735720421",
"288760628316193800053746590455149468151",
"31001497096229790573543894970126459707",
"81629981202481641297688391414516636433",
"121158407101533118064873197736492790259",
"328949005260222758869859776995115540211",
"95803741572572839564073036712838260904",
"178936421502492694060234835568300898361",
"130799906630688719493223679374798669717",
"172139263653526526245267282958032138394",
"44028362625048614664140459644367332830",
"64643268354849795983592409872499113300",
"122274706139804331759796242852332387472",
"112467043421239801377616973728905961372",
"173190449677022640434018764058112020820",
"292648278138743617897745305703950416350",
"253643342136526512846268874806508528014",
"333978298987779596323201183069626701489",
"216271558675049484966825530321862216406",
"126586841998529848930115536787431908975",
"74195884169200568559979400402491829655",
"219554785980094828698571268163678268141",
"234094167595483306867763415226646486640",
"272258221669919149943668383096599983356",
"188151475264752820104339306277638615008",
"168864237646517475504032317660512803681",
"211190162928353430486334285500308467021",
"68006722170955113957990986971196745822",
"202170362119682739512248022105016137546",
"90183885948604087333555714557401408415",
"225713318487517140581097520855122642583",
"20779807987129472637393645037935954467",
"8555656639096673522124277596235780768",
"107848635794427224205086204070887237157",
"55607047985036484036875784247285761191",
"19407283166991346465733764266579362668",
"269831868574013710387532245517662641913",
"305873431664383801242991232791794894259",
"119690949727642525870798466532460136562",
"115674793925800716433111584148518256067",
"42388429598614212417229567592697135908",
"27686782013739405594270920347072748656",
"200503559919357271827110291412716128119",
"202072486762941197433772872420492429506",
"320568157561534497948807577240281571807",
"297141469878859343758252897636692040847",
"295050438991641194704303978579421242000",
"7779604003790456517600010536715191169",
"53989348763585805394653215705198856161",
"105525445379191043382632706209937292420",
"130200154395047468222393443248673822842",
"27415475902297350147583370932308424672",
"49772709835657089767198105488361424477",
"216467639844748230019343895018497927264",
"75407180318704451699303769443305508093",
"90477121491718072060675061028638773452",
"191030403299871298014566886997312975349",
"91897649930860484013527677932862903122",
"221557650087221816721450107098278273776",
"314182889167994855520297096869940242060",
"233742460839799911164694397791771787804",
"92992936326423504256595606335022989156",
"76150989215642726683055508043933882294",
"297351737832971894903132365115813047057",
"46407220122534395588725652540513742479",
"162715171557179896394990430410557061413",
"238304738011719532965800634373990047382",
"302022918288066779705265462234806472579",
"50454500332394559061493709160560951513",
"132862363900470642506475538916476013541",
"117275589977115262562043201440625547685",
"240179583190321960351791869679455866464",
"308354752515490222436564410869102882039",
"73146341374928373682985806236359380466",
"23100321799526649971876323936718951404",
"286380862032246547213927278484022572308",
"186312216781839157033853547843247766171",
"278111340395685396375904314703291508756",
"276747299094217873686489012647527382964",
"239129070115456954964455470179078691136",
"94568802784762704550233800450964626976",
"230277815541096321488591233567837510974"
],
"threshold": 0.9
},
"target": {
"file": "charproc.c"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-4e6f5470",
"signature_type": "Line",
"digest": {
"line_hashes": [
"72694500207652297460808975945920711998",
"237277466881759296733375356513690493662",
"132372491384466679160873286837148254468",
"25642798928886029874802640767733127514",
"164099848433969166646613279799361929758",
"11014560221248064822611044629765564826",
"166189383573761758535097672793290215162",
"292855935639810985574292297011019046247",
"242588665069743278023405742694201145802",
"335841484031831615446560039007916277002",
"279375914903389234077515323111672098760",
"35249907194928438438649930394979921809",
"199419639856679820078998993453425914001",
"294715299407343097179856512219342483653",
"124300979861186525391169235801636455666",
"273090677168433207561407823756685399475",
"320282322418498883705653542003546244001",
"904214065557976163728780212774673152",
"272616020005234441870020148691686446685",
"64350548646897784199941918243033906684",
"322791353177174351544891449059044585802",
"131108580668779217662110309791956931455",
"10586811697175077733522694352235028330",
"62939959249465580221867296832178140075",
"212124477098067225793221045248986250543",
"120157485888596235695887349082134428958",
"232409331780280012946627685493404962739",
"155265610836499417979603110690304762676",
"43646782729099435162389060024828976552",
"39621670562495537492485562899984857698",
"2385508016753122030196617902617345398",
"272612776165544630405170437683837471556",
"333066387766028434900340732608904101606",
"317678915728580348284282405075548053451",
"2570133880513437493917470134510619628"
],
"threshold": 0.9
},
"target": {
"file": "misc.c"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-4f6855df",
"signature_type": "Function",
"digest": {
"function_hash": "47534819152559570497781849344156927115",
"length": 472.0
},
"target": {
"file": "misc.c",
"function": "xtermDisplayCursor"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-83557bd6",
"signature_type": "Line",
"digest": {
"line_hashes": [
"204929593908884127775469947004160956522",
"131684641695888650661256718546890082159",
"126809655382010135009867701658079097622",
"156776681246202259308070176035265963334",
"326289920574651518901024125105438327443"
],
"threshold": 0.9
},
"target": {
"file": "util.c"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-a2bc9fb9",
"signature_type": "Line",
"digest": {
"line_hashes": [
"277148843522247792063794214364607991703",
"16818336402220346127488010570367314038",
"323236449147721195249215930107085499439",
"297085073382815427472032307678603587892",
"74882116455560791166794663649655751526",
"325103990340651829762690253465184086568",
"203997351473975185562593409991130104445",
"215591782777490406855907464249939362306",
"15713256378289495295718885869035554783",
"153906715426697823211501509374258167069",
"155637593777033425502821384904868628191",
"307720885783947251490436529083262210094",
"323820652969859190218317359477985534990",
"101295488949237601696279946418004577908",
"99940377818103097677378623059282468999"
],
"threshold": 0.9
},
"target": {
"file": "button.c"
},
"source": "https://github.com/thomasdickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-b18f0f2d",
"signature_type": "Line",
"digest": {
"line_hashes": [
"199534115992065564062393482320705016279",
"304203568142421823906187627845949395047",
"317617454335689720228507120511803656060",
"107654739791241878775791045606133387624",
"35491446974216053249343433928397806785",
"122953575330822752808876735713250609564",
"252379642032017967221479357510032159835",
"132964942495668331078005948237477484694",
"247978921328329023575986872304006956809",
"204893840609433687165312711662396160191",
"86808312559954287772236679031657804377"
],
"threshold": 0.9
},
"target": {
"file": "xterm.h"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-d6e90df3",
"signature_type": "Function",
"digest": {
"function_hash": "163015194264236923837560198250029256481",
"length": 10120.0
},
"target": {
"file": "charproc.c",
"function": "VTRealize"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-dc32bf18",
"signature_type": "Line",
"digest": {
"line_hashes": [
"32796789806284024275639916408541358210",
"197224394363200850893404218805619087214",
"230267144874948808801123221530937563224",
"89732657109155903477984755739502864958"
],
"threshold": 0.9
},
"target": {
"file": "main.c"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-e1a347ec",
"signature_type": "Line",
"digest": {
"line_hashes": [
"323128627578147688109374271103488750544",
"55011328144653014196309963490386341495",
"174647039267080340667723307985374464576",
"253745108644445579663293773628509748856",
"284346489832229756364550425661057521884",
"127108674938365114279541143415763451261",
"273483264447646730812749789235149892426",
"89054066494610616194240864867014990756",
"312784913356344527860258683952786130238",
"83234689361834355370391707682737808410",
"338580243167605740160088853352923993522",
"47552319049112998642253747127800896038",
"172384635736661599305534344939471289138"
],
"threshold": 0.9
},
"target": {
"file": "ptyx.h"
},
"source": "https://github.com/ThomasDickey/xterm-snapshots/commit/a8fc74f3bcca38d5a288c9947f3e9d48868a3a3f",
"signature_version": "v1",
"deprecated": false
},
{
"id": "CVE-2021-27135-f415546d",
"signature_type": "Function",
"digest": {
"function_hash": "98433897814228501755533246292104164193",
"length": 2116.0
},
"target": {
"file": "button.c",
"function": "SaltTextAway"
},
"source": "https://github.com/thomasdickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c",
"signature_version": "v1",
"deprecated": false
}
]
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "33"
}
]
}
]