CVE-2021-42574

HIGH
Published Nov 1, 20214y ago · Modified Jun 17, 20262w ago
8.3 CVSS 3.1
High
Find Similar
Published Nov 1, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

An issue was discovered in the Bidirectional Algorithm in the Unicode Specification through 14.0. It permits the visual reordering of characters via control sequences, which can be used to craft source code that renders different logic than the logical ordering of tokens ingested by compilers and interpreters. Adversaries can leverage this to encode source code for compilers accepting Unicode such that targeted vulnerabilities are introduced invisibly to human reviewers. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard and the Unicode Bidirectional Algorithm (all versions). Due to text display behavior when text includes left-to-right and right-to-left characters, the visual order of tokens may be different from their logical order. Additionally, control characters needed to fully support the requirements of bidirectional text can further obfuscate the logical order of tokens. Unless mitigated, an adversary could craft source code such that the ordering of tokens perceived by human reviewers does not match what will be processed by a compiler/interpreter/etc. The Unicode Consortium has documented this class of vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms, and in Unicode Standard Annex #31, Unicode Identifier and Pattern Syntax. Also, the BIDI specification allows applications to tailor the implementation in ways that can mitigate misleading visual reordering in program text; see HL4 in Unicode Standard Annex #9, Unicode Bidirectional Algorithm.

CVSS Details

Base Score
8.3
Exploitability
1.6
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-94 Improper Control of Generation of Code (Code Injection) Injection

Affected Products 5

VendorProductVersionRange
unicodeunicode* <14.0.0
fedoraprojectfedora33any
fedoraprojectfedora34any
fedoraprojectfedora35any
starwindsoftwarestarwind_virtual_sanv8r13any

References 18

  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/1
    ExploitMailing ListMitigationThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/4
    ExploitMailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/5
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/01/6
    Mailing ListThird Party Advisory
  • openwall.com http://www.openwall.com/lists/oss-security/2021/11/02/10
    Mailing List
  • unicode.org http://www.unicode.org/versions/Unicode14.0.0/
    Release NotesVendor Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IH2RG5YTR6ZZOLUV3EUPZEIJR7XHJLVD/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LQNTFF24ROHLVPLUOEISBN3F7QM27L4U/
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QUPA37D57VPTDLSXOOGF4UXUEADOC4PQ/
  • security.gentoo.org https://security.gentoo.org/glsa/202210-09
    Third Party Advisory
  • trojansource.codes https://trojansource.codes
    ExploitTechnical DescriptionThird Party Advisory
  • kb.cert.org https://www.kb.cert.org/vuls/id/999008
    Third Party AdvisoryUS Government Resource
  • scyon.nl https://www.scyon.nl/post/trojans-in-your-source-code
    ExploitMitigationThird Party Advisory
  • starwindsoftware.com https://www.starwindsoftware.com/security/sw-20220804-0002/
    Third Party Advisory
  • unicode.org https://www.unicode.org/reports/tr31/
    Technical DescriptionVendor Advisory
  • unicode.org https://www.unicode.org/reports/tr36/
    Technical DescriptionVendor Advisory
  • unicode.org https://www.unicode.org/reports/tr39/
    Technical DescriptionVendor Advisory
  • unicode.org https://www.unicode.org/reports/tr9/tr9-44.html#HL4
    Technical DescriptionVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.