CVE-2021-43527

CRITICAL
Published Dec 8, 20214y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Dec 8, 2021 4y ago
Last Modified Jun 17, 2026 2w ago

Description

NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR are vulnerable to a heap overflow when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS \#7, or PKCS \#12 are likely to be impacted. Applications using NSS for certificate validation or other TLS, X.509, OCSP or CRL functionality may be impacted, depending on how they configure NSS. *Note: This vulnerability does NOT impact Mozilla Firefox.* However, email clients and PDF viewers that use NSS for signature verification, such as Thunderbird, LibreOffice, Evolution and Evince are believed to be impacted. This vulnerability affects NSS < 3.73 and NSS < 3.68.1.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-787 Out-of-bounds Write Memory Safety

Affected Products 11

VendorProductVersionRange
mozillanss* <3.73
mozillanss_esr* <3.68.1
netappcloud_backup*any
netappe-series_santricity_os_controller*≥11.0  –  ≤11.70.1
oraclecommunications_cloud_native_core_binding_support_function1.11.0any
oraclecommunications_cloud_native_core_network_repository_function1.15.0any
oraclecommunications_cloud_native_core_network_repository_function1.15.1any
oraclecommunications_cloud_native_core_network_slice_selection_function1.8.0any
oraclecommunications_policy_management12.6.0.0.0any
starwindsoftwarestarwind_san_\&_nasv8r13any
starwindsoftwarestarwind_virtual_sanv8r13any

References 9

  • bugzilla.mozilla.org https://bugzilla.mozilla.org/show_bug.cgi?id=1737470
    Issue TrackingPermissions RequiredVendor Advisory
  • cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-594438.pdf
    Third Party Advisory
  • ftp.mozilla.org https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_68_1_RTM/
    Vendor Advisory
  • ftp.mozilla.org https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_73_RTM/
    Vendor Advisory
  • security.gentoo.org https://security.gentoo.org/glsa/202212-05
    Third Party Advisory
  • security.netapp.com https://security.netapp.com/advisory/ntap-20211229-0002/
    Third Party Advisory
  • mozilla.org https://www.mozilla.org/security/advisories/mfsa2021-51/
    Vendor Advisory
  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory
  • starwindsoftware.com https://www.starwindsoftware.com/security/sw-20220802-0001/
    Third Party Advisory

Remediation

  • oracle.com https://www.oracle.com/security-alerts/cpuapr2022.html
    PatchThird Party Advisory