Login Sign Up

CVE-2021-40516

7.5 HIGH
Denial of Service

📋 TL;DR

CVE-2021-40516 is an out-of-bounds read vulnerability in WeeChat's Relay plugin that allows remote attackers to crash the application via specially crafted WebSocket frames. This affects WeeChat users with the Relay plugin enabled, potentially exposing chat clients to denial of service attacks.

💻 Affected Systems

Products:
  • WeeChat
Versions: All versions before 3.2.1
Operating Systems: All platforms running WeeChat (Linux, macOS, BSD, etc.)
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when Relay plugin is enabled and configured to accept WebSocket connections. The Relay plugin is not enabled by default.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Weechat by Weechat

View all CVEs affecting Weechat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attacker causes WeeChat to crash, disrupting chat sessions and potentially leading to data loss if unsaved messages are present.

🟠

Likely Case

Denial of service through application crash, requiring manual restart of WeeChat to restore functionality.

🟢

If Mitigated

No impact if Relay plugin is disabled or proper network segmentation prevents access to the vulnerable service.

🌐 Internet-Facing: HIGH if Relay plugin is exposed to untrusted networks, as exploitation requires only network access.
🏢 Internal Only: MEDIUM if Relay plugin is used internally, as exploitation still requires network access but from a more limited attack surface.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending a malicious WebSocket frame to the vulnerable Relay plugin endpoint. No authentication is required if the service is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1

Vendor Advisory: https://weechat.org/doc/security/

Restart Required: Yes

Instructions:

1. Update WeeChat to version 3.2.1 or later using your package manager. 2. For source installations: download latest release from weechat.org and compile. 3. Restart WeeChat after updating.

🔧 Temporary Workarounds

Disable Relay Plugin

all

Disable the vulnerable Relay plugin to prevent exploitation

/plugin unload relay

Restrict Network Access

linux

Configure firewall rules to restrict access to WeeChat Relay port (default 9001)

iptables -A INPUT -p tcp --dport 9001 -j DROP

🧯 If You Can't Patch

  • Disable the Relay plugin entirely if not needed
  • Implement strict network segmentation to isolate WeeChat from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check WeeChat version and verify Relay plugin is enabled: /version and /plugin info relay

Check Version:

/version

Verify Fix Applied:

Confirm version is 3.2.1 or later: /version

📡 Detection & Monitoring

Log Indicators:

  • WeeChat crash logs
  • Segmentation fault errors in system logs
  • Unexpected termination of weechat process

Network Indicators:

  • Malformed WebSocket frames to Relay plugin port
  • Multiple connection attempts to port 9001

SIEM Query:

process.name:"weechat" AND event.action:"crashed" OR destination.port:9001 AND network.protocol:"websocket"

📊 Metadata

CVE ID: CVE-2021-40516
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-125
Published: September 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40516, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)