Cyber Resilience

CVE-2021-47793

MediumPublic PoC

Published: 16 January 2026

Published
16 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.8th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47793 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Telegram Telegram Desktop. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2021-47793 is a denial-of-service vulnerability in Telegram Desktop version 2.9.2. The flaw allows attackers to crash the application by sending an oversized message payload, specifically a 9 million byte buffer pasted into the messaging interface. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption without confidentiality or integrity effects.

Any remote attacker can exploit this vulnerability without privileges or user interaction, as it is network-accessible with low complexity. By generating and sending the oversized buffer, the attacker triggers an application crash, resulting in a denial of service for the targeted Telegram Desktop user.

Advisories and proof-of-concept exploits are documented in references including the official Telegram site (https://telegram.org), Exploit-DB (https://www.exploit-db.com/exploits/50247), and VulnCheck (https://www.vulncheck.com/advisories/telegram-desktop-denial-of-service-poc). These resources provide details on the issue and demonstration code, though specific patch instructions are not detailed in the available information. The CVE was published on 2026-01-16.

EU & UK References

Vulnerability details

Telegram Desktop 2.9.2 contains a denial of service vulnerability that allows attackers to crash the application by sending an oversized message payload. Attackers can generate a 9 million byte buffer and paste it into the messaging interface to trigger an…

more

application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct mapping to application exploitation causing endpoint DoS via resource exhaustion crash.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

telegram
telegram desktop
2.9.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly protects against denial-of-service vulnerabilities like CVE-2021-47793 by implementing safeguards to limit the effects of oversized message payloads causing application crashes.

prevent

SI-10 validates incoming message payloads to reject oversized buffers, preventing the resource allocation failure exploited in CVE-2021-47793.

prevent

SC-6 ensures resource availability by protecting against unauthorized depletion from large memory allocations triggered by oversized inputs in CVE-2021-47793.

References