Login Sign Up

CVE-2021-21810

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

CVE-2021-21810 is a critical heap buffer overflow vulnerability in Xmill 0.7's XML parser that allows attackers to execute arbitrary code or cause denial of service by providing a malicious XML file. This affects any system using Xmill 0.7 for XML compression or processing. The vulnerability is particularly dangerous because it can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • Xmill
Versions: Version 0.7
Operating Systems: All platforms where Xmill 0.7 runs
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using Xmill 0.7 for XML compression or processing is vulnerable. The vulnerability is in the core parsing functionality.

📦 What is this software?

Xmill by Att

View all CVEs affecting Xmill →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with SYSTEM/root privileges leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Denial of service through application crashes, with potential for remote code execution in targeted attacks.

🟢

If Mitigated

Application crashes without code execution if memory protections like ASLR/DEP are properly implemented.

🌐 Internet-Facing: HIGH - Attackers can exploit this remotely by sending malicious XML files to vulnerable endpoints.
🏢 Internal Only: MEDIUM - Internal users or compromised systems could exploit this, but requires XML processing capability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available. The vulnerability requires only a specially crafted XML file to trigger.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch exists. Xmill appears to be abandoned software. The only secure fix is to remove or replace Xmill 0.7 with alternative XML processing libraries.

🔧 Temporary Workarounds

Disable XML processing with Xmill

all

Remove or disable Xmill functionality from applications

Remove Xmill binaries and libraries from system

Input validation and sanitization

all

Implement strict XML validation before passing to Xmill

🧯 If You Can't Patch

  • Network segmentation to isolate systems using Xmill
  • Implement strict file upload controls and XML validation at application layer

🔍 How to Verify

Check if Vulnerable:

Check if Xmill 0.7 is installed: 'find / -name "*xmill*" -type f 2>/dev/null' and check version

Check Version:

Run Xmill binary with --version flag if available, or check package manager

Verify Fix Applied:

Verify Xmill 0.7 is removed and no longer present in the system

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Memory access violation errors
  • Unexpected process termination

Network Indicators:

  • Large or malformed XML files being sent to applications
  • XML files with unusual attribute structures

SIEM Query:

Process termination events for Xmill-related applications OR File upload events containing XML to known Xmill endpoints

📊 Metadata

CVE ID: CVE-2021-21810
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: August 17, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21810, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)