CVE-2021-27135
published 2021-02-10CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining…
PriorityP357critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.54%
93.8th percentile
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | xterm | < xterm 366-1 (bookworm) | xterm 366-1 (bookworm) |
| fedoraproject | fedora | — | — |
| invisible-island | xterm | < 366 | 366 |
| invisible-island | xterm | >= 0 < 366-1 | 366-1 |
| invisible-island | xterm | >= 0 < 366-1 | 366-1 |
| invisible-island | xterm | >= 0 < 366-1 | 366-1 |
| invisible-island | xterm | >= 0 < 366-1 | 366-1 |
| msrc | cbl2_xterm_372-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
xterm vulnerability
vendor_ubuntu·2021-02-24
CVE-2021-27135 xterm vulnerability
Title: xterm vulnerability
Summary: xterm could be made to crash or run programs if it handled specially
crafted character sequences.
Tavis Ormandy discovered that xterm incorrectly handled certain character
sequences. A remote attacker could use this issue to cause xterm to crash,
resulting in a denial of service, or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
xterm: crash when processing combining characters
vendor_redhat·2021-02-10·CVSS 9.8
CVE-2021-27135 [CRITICAL] CWE-787 xterm: crash when processing combining characters
xterm: crash when processing combining characters
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
A flaw was found in xterm. A specially crafted sequence of combining characters causes an out of bounds write leading to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Mitigation: This vulnerability can be mitigated by disabling UTF-8 support in XTerm configuration. An entry such as "XTerm.vt100.utf8: false" in Xresources will disable UTF-8. This can be set as a system default in /etc/X11/Xresources, or per-user in ~/.Xresources.
Note that this setting can still be overridden if x
Microsoft
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
vendor_msrc·2021-02-09·CVSS 9.8
CVE-2021-27135 [CRITICAL] xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mari
Debian
CVE-2021-27135: xterm - xterm before Patch #366 allows remote attackers to execute arbitrary code or cau...
vendor_debian·2021·CVSS 9.8
CVE-2021-27135 [CRITICAL] CVE-2021-27135: xterm - xterm before Patch #366 allows remote attackers to execute arbitrary code or cau...
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
Scope: local
bookworm: resolved (fixed in 366-1)
bullseye: resolved (fixed in 366-1)
forky: resolved (fixed in 366-1)
sid: resolved (fixed in 366-1)
trixie: resolved (fixed in 366-1)
GHSA
GHSA-3w4p-5chr-2r8f: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a cra
ghsa_unreviewed·2022-05-24
CVE-2021-27135 [CRITICAL] GHSA-3w4p-5chr-2r8f: xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a cra
xterm through Patch #365 allows remote attackers to cause a denial of service (segmentation fault) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
OSV
CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combin
osv·2021-02-10·CVSS 9.8
CVE-2021-27135 [CRITICAL] CVE-2021-27135: xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combin
xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2021/May/52http://www.openwall.com/lists/oss-security/2021/02/10/7https://access.redhat.com/security/cve/CVE-2021-27135https://bugzilla.redhat.com/show_bug.cgi?id=1927559https://bugzilla.suse.com/show_bug.cgi?id=1182091https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075chttps://invisible-island.net/xterm/xterm.log.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/https://news.ycombinator.com/item?id=26524650https://security.gentoo.org/glsa/202208-22https://www.openwall.com/lists/oss-security/2021/02/09/7https://www.openwall.com/lists/oss-security/2021/02/09/9http://seclists.org/fulldisclosure/2021/May/52http://www.openwall.com/lists/oss-security/2021/02/10/7https://access.redhat.com/security/cve/CVE-2021-27135https://bugzilla.redhat.com/show_bug.cgi?id=1927559https://bugzilla.suse.com/show_bug.cgi?id=1182091https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075chttps://invisible-island.net/xterm/xterm.log.htmlhttps://lists.debian.org/debian-lts-announce/2021/02/msg00019.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/https://news.ycombinator.com/item?id=26524650https://security.gentoo.org/glsa/202208-22https://www.openwall.com/lists/oss-security/2021/02/09/7https://www.openwall.com/lists/oss-security/2021/02/09/9
2021-02-10
Published