CVE-2021-27212
published 2021-02-14CVE-2021-27212: In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet…
PriorityP356high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
64.15%
99.1th percentile
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openldap | < openldap 2.4.57+dfsg-2 (bookworm) | openldap 2.4.57+dfsg-2 (bookworm) |
| msrc | openldap-2.4.57-2.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | openldap-2.4.57-2.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | openldap-2.4.57-6.cm2.aarch64.rpm_on_cbl_mariner_2.0_arm | — | — |
| msrc | openldap-2.4.57-6.cm2.x86_64.rpm_on_cbl_mariner_2.0_x64 | — | — |
| msrc | openldap-debuginfo-2.4.57-2.cm1.aarch64.rpm_on_cbl_mariner_1.0_arm | — | — |
| msrc | openldap-debuginfo-2.4.57-2.cm1.x86_64.rpm_on_cbl_mariner_1.0_x64 | — | — |
| msrc | openldap-debuginfo-2.4.57-6.cm2.aarch64.rpm_on_cbl_mariner_2.0_arm | — | — |
| msrc | openldap-debuginfo-2.4.57-6.cm2.x86_64.rpm_on_cbl_mariner_2.0_x64 | — | — |
| openldap | openldap | <= 2.4.57 | — |
| openldap | openldap | — | — |
| openldap | openldap | — | — |
| openldap | openldap | >= 0 < 2.4.57+dfsg-2 | 2.4.57+dfsg-2 |
| openldap | openldap | >= 0 < 2.4.57+dfsg-2 | 2.4.57+dfsg-2 |
| openldap | openldap | >= 0 < 2.4.57+dfsg-2 | 2.4.57+dfsg-2 |
| openldap | openldap | >= 0 < 2.4.57+dfsg-2 | 2.4.57+dfsg-2 |
| openldap | openldap | >= 0 < 2.4.31-1+nmu2ubuntu8.5+esm8 | 2.4.31-1+nmu2ubuntu8.5+esm8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger point is the issuerAndThisUpdateCheck function in slapd — an assertion failure there (via schema_init.c / checkTime) indicates exploitation of this CVE ↗
- →The attack vector is a crafted network packet containing a short/malformed timestamp sent to the slapd LDAP daemon; monitor slapd process for unexpected assertion-triggered exits ↗
- →OpenLDAP incorrectly handled certain short timestamps — inspect LDAP traffic for anomalously short timestamp fields in X.509-related requests (e.g., CRL/OCSP thisUpdate fields) ↗
- ·Red Hat Enterprise Linux 8 and 9 are NOT affected because the OpenLDAP-servers package (which contains slapd) was not shipped; only client-side openldap packages are present ↗
- ·Vulnerable versions are OpenLDAP ≤ 2.4.57 and 2.5.x through 2.5.1alpha; Debian fixed the issue in 2.4.57+dfsg-2 ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenLDAP vulnerabilities
vendor_ubuntu·2025-08-24·CVSS 7.5
CVE-2021-27212 [HIGH] OpenLDAP vulnerabilities
Title: OpenLDAP vulnerabilities
Summary: Several security issues were fixed in OpenLDAP.
It was discovered that OpenLDAP incorrectly handled X.509 DN parsing. A
remote attacker could possibly use this issue to cause OpenLDAP to crash,
resulting in a denial of service. (CVE-2020-36229, CVE-2020-36230)
Pasi Saarinen discovered that OpenLDAP incorrectly handled certain short
timestamps. A remote attacker could possibly use this issue to cause
OpenLDAP to crash, resulting in a denial of service. (CVE-2021-27212)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
OpenLDAP vulnerability
vendor_ubuntu·2021-02-22
CVE-2021-27212 OpenLDAP vulnerability
Title: OpenLDAP vulnerability
Summary: OpenLDAP could be made to crash if it received specially crafted network
traffic.
Pasi Saarinen discovered that OpenLDAP incorrectly handled certain short
timestamps. A remote attacker could possibly use this issue to cause
OpenLDAP to crash, resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
openldap: Assertion failure in slapd in the issuerAndThisUpdateCheck function
vendor_redhat·2021-02-14·CVSS 7.5
CVE-2021-27212 [HIGH] CWE-400 openldap: Assertion failure in slapd in the issuerAndThisUpdateCheck function
openldap: Assertion failure in slapd in the issuerAndThisUpdateCheck function
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
A flaw was found in openldap. An assertion failure in slapd can occur resulting in a denial of service (daemon exit) via a short timestamp. The highest threat from this vulnerability is to system availability.
Statement: Red Hat Enterprise Linux 8 and 9 are not affected as we have not shipped the OpenLDAP-servers package.
Package: compat-openldap (Red Hat Enterprise Linux 6) - Out of support scope
Package: openldap (Red Hat Enterprise
Microsoft
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet resulting in a denial of service (daemon e
vendor_msrc·2021-02-09·CVSS 7.5
CVE-2021-27212 [HIGH] CWE-617 In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet resulting in a denial of service (daemon e
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more info
Debian
CVE-2021-27212: openldap - In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in...
vendor_debian·2021·CVSS 7.5
CVE-2021-27212 [HIGH] CVE-2021-27212: openldap - In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in...
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
Scope: local
bookworm: resolved (fixed in 2.4.57+dfsg-2)
bullseye: resolved (fixed in 2.4.57+dfsg-2)
forky: resolved (fixed in 2.4.57+dfsg-2)
sid: resolved (fixed in 2.4.57+dfsg-2)
trixie: resolved (fixed in 2.4.57+dfsg-2)
OSV
openldap vulnerabilities
osv·2025-08-24·CVSS 7.5
CVE-2020-36229 [HIGH] openldap vulnerabilities
openldap vulnerabilities
It was discovered that OpenLDAP incorrectly handled X.509 DN parsing. A
remote attacker could possibly use this issue to cause OpenLDAP to crash,
resulting in a denial of service. (CVE-2020-36229, CVE-2020-36230)
Pasi Saarinen discovered that OpenLDAP incorrectly handled certain short
timestamps. A remote attacker could possibly use this issue to cause
OpenLDAP to crash, resulting in a denial of service. (CVE-2021-27212)
GHSA
GHSA-274h-c788-hf3c: In OpenLDAP through 2
ghsa_unreviewed·2022-05-24
CVE-2021-27212 [HIGH] CWE-617 GHSA-274h-c788-hf3c: In OpenLDAP through 2
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
OSV
CVE-2021-27212: In OpenLDAP through 2
osv·2021-02-14·CVSS 7.5
CVE-2021-27212 [HIGH] CVE-2021-27212: In OpenLDAP through 2
In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an assertion failure in slapd can occur in the issuerAndThisUpdateCheck function via a crafted packet, resulting in a denial of service (daemon exit) via a short timestamp. This is related to schema_init.c and checkTime.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugs.openldap.org/show_bug.cgi?id=9454https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/02/msg00035.htmlhttps://security.netapp.com/advisory/ntap-20210319-0005/https://www.debian.org/security/2021/dsa-4860https://bugs.openldap.org/show_bug.cgi?id=9454https://git.openldap.org/openldap/openldap/-/commit/3539fc33212b528c56b716584f2c2994af7c30b0https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2021/02/msg00035.htmlhttps://security.netapp.com/advisory/ntap-20210319-0005/https://www.debian.org/security/2021/dsa-4860
2021-02-14
Published