cbcvebase.
CVE-2021-20235
published 2021-04-01

CVE-2021-20235: There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the…

PriorityP268high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EPSS
43.86%
98.6th percentile
There's a flaw in the zeromq server in versions before 4.3.3 in src/decoder_allocators.hpp. The decoder static allocator could have its sized changed, but the buffer would remain the same as it is a static buffer. A remote, unauthenticated attacker who sends a crafted request to the zeromq server could trigger a buffer overflow WRITE of arbitrary data if CURVE/ZAP authentication is not enabled. The greatest impact of this flaw is to application availability, data integrity, and confidentiality.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianzeromq3< zeromq3 4.3.3-1 (bookworm)zeromq3 4.3.3-1 (bookworm)
debianzeromq3
zeromqlibzmq
zeromqlibzmq>= 4.2.0 < 4.3.34.3.3

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable code is located in src/decoder_allocators.hpp — the decoder static allocator buffer overflow write occurs in this file; patch presence/absence in this file can confirm exposure.
  • The vulnerability is triggered by malformed ZMTP v1 packets sent to the ZeroMQ server; monitor for anomalous/malformed ZMTP v1 traffic on ZeroMQ listener ports.
  • Exploitation requires CURVE/ZAP authentication to be DISABLED; audit ZeroMQ deployments for missing authentication configuration as a risk prioritization signal.
  • The attacker is remote and unauthenticated — no prior session or credentials needed; any exposed ZeroMQ port without CURVE/ZAP is an attack surface.
  • ·Vulnerability only affects zeromq versions before 4.3.3; fixed in version 4.3.3-1 on Debian-based systems. Verify installed version to confirm exposure.
  • ·On Ubuntu, this issue only affected Ubuntu 18.04 ESM and Ubuntu 20.04 ESM — other Ubuntu releases are not impacted.
  • ·Red Hat Enterprise Linux and Red Hat Ceph Storage are stated as not affected (for the related CVE-2020-36400); zeromq3 in Red Hat Ceph Storage 2 is out of support scope for CVE-2021-20235.
  • ·CVE-2021-20235 and CVE-2020-36400 are distinct vulnerabilities both involving the static allocator/tcp_read path in ZeroMQ; do not conflate detections for the two.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.