Cyber Resilience

CVE-2021-40391

CriticalPublic PoC

Published: 19 November 2021

Published
19 November 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0047 65.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-40391 is a critical-severity Detection of Error Condition Without Action (CWE-390) vulnerability in Gerbv Project Gerbv. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 34.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

An out-of-bounds write vulnerability exists in the drill format T-code tool number functionality of Gerbv 2.7.0, dev (commit b5f1eacd), and the forked version of Gerbv (commit 71493260). A specially-crafted drill file can lead to code execution. An attacker can provide…

more

a malicious file to trigger this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

gerbv project
gerbv
2.7.0
debian
debian linux
9.0
fedoraproject
fedora
36

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-390 CWE-755

Requires explicit action (alert plus additional responses) on audit logging failures rather than detecting the error condition without acting.

addresses: CWE-390 CWE-755

Procedures require detection of error/incident conditions followed by defined response actions.

addresses: CWE-390 CWE-755

IR testing verifies that detected error conditions trigger appropriate response actions rather than being ignored.

addresses: CWE-390 CWE-755

Provides assistance for handling incidents, ensuring detected error conditions lead to appropriate user actions rather than inaction.

addresses: CWE-755 CWE-390

Enforces structured response to exceptional conditions so the system cannot remain in an unsafe state.

addresses: CWE-755 CWE-390

Mandates defined procedures that ensure exceptional conditions are handled in a controlled, secure manner instead of being ignored or mishandled.

addresses: CWE-390

The control mandates response actions to address results from monitoring and assessments, preventing detection of error conditions without subsequent corrective action.

addresses: CWE-755

Supplies a concrete handling action (safe mode) for exceptional conditions, mitigating risks from improper or absent handling that could allow continued attacks.

References