CVE-2021-26937
First published: Tue Feb 09 2021(Updated: )
encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/screen | <=4.5.0-6<=4.8.0-3<=4.2.1-3+deb8u1<=4.6.2-3 | 4.8.0-4 4.6.2-3+deb10u1 |
| debian/screen | 4.6.2-3+deb10u1 4.8.0-6 4.9.0-4 4.9.1-1 | |
| GNU screen | <=4.8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html
- https://security-tracker.debian.org/tracker/CVE-2021-26937
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937
- https://www.openwall.com/lists/oss-security/2021/02/09/3
- https://savannah.gnu.org/bugs/?60030
- https://people.debian.org/~abe/
- https://salsa.debian.org/debian/screen
- https://security-tracker.debian.org/tracker/CVE-2021-27135
- https://www.openwall.com/lists/oss-security/2021/02/09/7
- https://stackoverflow.com/questions/47783583/generating-3-byte-0x800-to-0xffff-utf-8-encodings-in-java
- http://arc.pasp.de/
- https://axel.beckert.ch/
- https://email.is-not-s.ms/
- https://savannah.gnu.org/bugs/?31336
- https://bugs.debian.org/600246
- https://bugs.debian.org/677512
- https://packages.qa.debian.org/s/screen/news/20210211T235456Z.html
- https://salsa.debian.org/debian/screen/-/tree/jessie
- https://salsa.debian.org/debian/screen/-/commits/jessie/
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982435
- http://www.openwall.com/lists/oss-security/2021/02/09/8
- https://ftp.gnu.org/gnu/screen/
- https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/
- https://security.gentoo.org/glsa/202105-11
- https://www.debian.org/security/2021/dsa-4861
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JJWLXP45POUUYBJRRWPVAWNZDJTLYWVM/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNWBOIDEPOEQS5RMQVMFKHKXJCGNYWBL/
Frequently Asked Questions
What is CVE-2021-26937?
CVE-2021-26937 is a vulnerability in GNU Screen through 4.8.0 that allows remote attackers to cause a denial of service or possibly have other impacts via a crafted UTF-8 character sequence.
What is the severity of CVE-2021-26937?
The severity of CVE-2021-26937 is critical with a CVSS score of 9.8.
How can I check if my GNU Screen version is affected by CVE-2021-26937?
To check if your GNU Screen version is affected by CVE-2021-26937, you can refer to the official GNU Screen website or the Debian security advisory for the affected versions.
How do I fix CVE-2021-26937?
To fix CVE-2021-26937, you should update to GNU Screen version 4.8.0-4 or any patched versions provided by your operating system vendor.
Are there any references for CVE-2021-26937?
Yes, you can find references for CVE-2021-26937 at the following URLs: http://www.openwall.com/lists/oss-security/2021/02/09/8, https://ftp.gnu.org/gnu/screen/, https://lists.debian.org/debian-lts-announce/2021/02/msg00031.html
- collector/debian-bugs
- alias/CVE-2021-26937
- collector/security-tracker-debian
- collector/nvd-index
- agent/weakness
- agent/type
- agent/description
- agent/event
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/debian
- vendor/gnu
- canonical/gnu screen
- version/gnu screen/4.8.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33