cbcvebase.
CVE-2021-34813
published 2021-06-16

CVE-2021-34813: Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.26%
89.8th percentile
Matrix libolm before 3.2.3 allows a malicious Matrix homeserver to crash a client (while it is attempting to retrieve an Olm encrypted room key backup from the homeserver) because olm_pk_decrypt has a stack-based buffer overflow. Remote code execution might be possible for some nonstandard build configurations.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianolm< olm 3.2.3~dfsg-3 (bookworm)olm 3.2.3~dfsg-3 (bookworm)
matrixolm< 3.2.33.2.3
matrixolm>= 0 < 3.2.3~dfsg-33.2.3~dfsg-3
matrixolm>= 0 < 3.2.3~dfsg-33.2.3~dfsg-3
matrixolm>= 0 < 3.2.3~dfsg-33.2.3~dfsg-3

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is `olm_pk_decrypt` in libolm — monitor for crashes or anomalous stack activity in processes calling this function when retrieving Olm encrypted room key backups from a homeserver.
  • The overflow is triggered during retrieval of an Olm encrypted room key backup from a Matrix homeserver — a malicious homeserver can deliver a crafted payload to exploit this path.
  • Root cause is missing input-length validation in the `olm_pk_decrypt` module — look for oversized or malformed ciphertext/key-backup payloads delivered by a homeserver to a client.
  • Remote code execution is possible in nonstandard build configurations — treat any libolm build without stack-protection mitigations (e.g., no stack canaries, no NX) as high-severity RCE risk.
  • ·The vulnerability is fixed in libolm 3.2.3 — any deployment running libolm < 3.2.3 is vulnerable. Debian bullseye remains open/unpatched as of the tracker snapshot.
  • ·RCE impact is conditional on nonstandard build configurations (e.g., absence of stack-hardening compiler flags); standard builds are limited to DoS (crash).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.