CVE-2021-47793
Published: 16 January 2026
Summary
CVE-2021-47793 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Telegram Telegram Desktop. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2021-47793 is a denial-of-service vulnerability in Telegram Desktop version 2.9.2. The flaw allows attackers to crash the application by sending an oversized message payload, specifically a 9 million byte buffer pasted into the messaging interface. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption without confidentiality or integrity effects.
Any remote attacker can exploit this vulnerability without privileges or user interaction, as it is network-accessible with low complexity. By generating and sending the oversized buffer, the attacker triggers an application crash, resulting in a denial of service for the targeted Telegram Desktop user.
Advisories and proof-of-concept exploits are documented in references including the official Telegram site (https://telegram.org), Exploit-DB (https://www.exploit-db.com/exploits/50247), and VulnCheck (https://www.vulncheck.com/advisories/telegram-desktop-denial-of-service-poc). These resources provide details on the issue and demonstration code, though specific patch instructions are not detailed in the available information. The CVE was published on 2026-01-16.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3030
Vulnerability details
Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an…
more
application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct mapping to application exploitation causing endpoint DoS via resource exhaustion crash.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-5 directly protects against denial-of-service vulnerabilities like CVE-2021-47793 by implementing safeguards to limit the effects of oversized message payloads causing application crashes.
SI-10 validates incoming message payloads to reject oversized buffers, preventing the resource allocation failure exploited in CVE-2021-47793.
SC-6 ensures resource availability by protecting against unauthorized depletion from large memory allocations triggered by oversized inputs in CVE-2021-47793.