CVE-2021-27135

CRITICALNVD 9.89.8—

9.8

xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

CVSS v3: 9.8
EG Score: 9.8(medium)
EPSS: 72.9%
KEV: Not listed

Published

February 10, 2021

Last Modified

November 21, 2024

Advisory Details (10)

Auto-updated May 26, 2026

Patch available. Sources: redhat, github_commit.

generic Patch Available

CVE-2021-27135: xterm flaw may allow remote code execution, CVSS 9.6 | Hacker News

https://news.ycombinator.com/item?id=26524650

generic

[SECURITY] Fedora 33 Update: xterm-366-1.fc33 - package-announce - Fedora mailing-lists

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35LK2ZXEIJUOGOA7FV2TJL3L6LFJ4X5S/

generic Patch Available

[SECURITY] [DLA 2558-1] xterm security update

https://lists.debian.org/debian-lts-announce/2021/02/msg00019.html

generic

XTERM - Change Log

https://invisible-island.net/xterm/xterm.log.html

github_commit

commit 82ba55b8f994 (ThomasDickey/xterm-snapshots)

Fix landed in ThomasDickey/xterm-snapshots commit 82ba55b8f994 — awaiting tagged release

https://github.com/ThomasDickey/xterm-snapshots/commit/82ba55b8f994ab30ff561a347b82ea340ba7075c

generic

1182091 – (CVE-2021-27135) VUL-0: CVE-2021-27135: xterm: crash when processing combining characters

https://bugzilla.suse.com/show_bug.cgi?id=1182091

redhat Patch Available

1927559 – (CVE-2021-27135) CVE-2021-27135 xterm: crash when processing combining characters

Affected: Red Hat Enterprise Linux 8

https://bugzilla.redhat.com/show_bug.cgi?id=1927559

redhat Patch Available

cve-details

https://access.redhat.com/security/cve/CVE-2021-27135

generic

oss-security - Re: Re: screen crash processing combining characters

http://www.openwall.com/lists/oss-security/2021/02/10/7

generic

Full Disclosure: CVE-2021-31535 libX11 Insufficient Length Checks PoC and Archeology

http://seclists.org/fulldisclosure/2021/May/52

Patch Availability(5)

Vendor / Ecosystem	Fixed in / Patch	Released	Source
ubuntu	xterm (322-1ubuntu1.2) @ xenial	2026-05-26	ubuntu
redhat	xterm-0:331-1.el8_1.1	2021-02-24	redhat
redhat	xterm-0:331-1.el8_2.1	2021-02-24	redhat
redhat	xterm-0:295-3.el7_9.1	2021-02-22	redhat
redhat	xterm-0:331-1.el8_3.2	2021-02-18	redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

All Vendor Advisories

(6)

Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.

Data Freshness Timeline

(refreshed 12× in last 7d / 20× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

2026-06-08 14:15 UTCEPSS rescore
2026-06-07 15:23 UTCEPSS rescore
2026-06-07 15:23 UTCEPSS rescore
2026-06-06 13:46 UTCEPSS rescore
2026-06-06 13:46 UTCEPSS rescore
2026-06-06 13:46 UTCEPSS rescore
2026-06-05 22:45 UTCEPSS rescore
2026-06-05 22:45 UTCEPSS rescore
2026-06-05 06:09 UTCEPSS rescore
2026-06-05 06:09 UTCEPSS rescore
2026-06-04 13:10 UTCEPSS rescore
2026-06-04 13:10 UTCEPSS rescore
2026-06-02 20:11 UTCEPSS rescore
2026-06-02 20:11 UTCEPSS rescore
2026-06-02 20:11 UTCEPSS rescore
2026-06-01 13:50 UTCEPSS rescore
2026-06-01 13:50 UTCEPSS rescore
2026-05-31 22:29 UTCEPSS rescore
2026-05-31 22:29 UTCEPSS rescore
2026-05-31 00:15 UTCEPSS rescore

Frequently asked(5)

What is CVE-2021-27135?

CVE-2021-27135 is a critical vulnerability published on February 10, 2021. xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

When was CVE-2021-27135 disclosed?

CVE-2021-27135 was first published in the National Vulnerability Database on February 10, 2021, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2021-27135 actively exploited?

CVE-2021-27135 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 72.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2021-27135?

CVE-2021-27135 has a CVSS v3 base score of 9.8 (NVD).

How do I remediate CVE-2021-27135?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2021-27135, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-27135

Explore →

Is Your Infrastructure Affected by CVE-2021-27135?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2021-27135

📅 Published

🔄 Last Modified

📋 Advisory Details (10)

CVE-2021-27135: xterm flaw may allow remote code execution, CVSS 9.6 | Hacker News

[SECURITY] Fedora 33 Update: xterm-366-1.fc33 - package-announce - Fedora mailing-lists

[SECURITY] [DLA 2558-1] xterm security update

XTERM - Change Log

commit 82ba55b8f994 (ThomasDickey/xterm-snapshots)

1182091 – (CVE-2021-27135) VUL-0: CVE-2021-27135: xterm: crash when processing combining characters

1927559 – (CVE-2021-27135) CVE-2021-27135 xterm: crash when processing combining characters

cve-details

oss-security - Re: Re: screen crash processing combining characters

Full Disclosure: CVE-2021-31535 libX11 Insufficient Length Checks PoC and Archeology

Patch Availability(5)

All Vendor Advisories

Data Freshness Timeline

❓ Frequently asked(5)

Dependency Blast Radius

Is Your Infrastructure Affected by CVE-2021-27135?

Published

Last Modified

Advisory Details (10)

Frequently asked(5)