Cyber Resilience

CVE-2021-47875

MediumPublic PoC

Published: 21 January 2026

Published
21 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 4.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2021-47875 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Geogebra (inferred from references). Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-47875 is a denial of service vulnerability in GeoGebra CAS Calculator version 6.0.631.0, stemming from a buffer overflow condition classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The issue allows attackers to crash the application by generating a payload consisting of 8000 repeated characters and pasting it into the calculator's input field. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential impacts on confidentiality, integrity, and availability.

The vulnerability can be exploited by any remote attacker with no privileges or user interaction required, according to the CVSS vector, though the described attack involves pasting a specially crafted input. Successful exploitation triggers an application crash, resulting in a denial of service, with the high CVSS scores suggesting broader potential for data exposure or manipulation despite the primary DoS effect.

Advisories and references, including an exploit on Exploit-DB (https://www.exploit-db.com/exploits/49655), the official GeoGebra site (https://www.geogebra.org), and a VulnCheck advisory (https://www.vulncheck.com/advisories/geogebra-cas-calculator-denial-of-service), document the issue but do not specify patches or detailed mitigations in the available information. Security practitioners should verify updates from GeoGebra and avoid unpatched versions of the calculator.

EU & UK References

Vulnerability details

GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field…

more

to trigger an application crash.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Buffer overflow in local calculator input directly enables application crash for Endpoint DoS via exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770
CVE-2026-33012Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2024-57662Shared CWE-770

Affected Assets

Geogebra
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes user inputs to the calculator field, preventing buffer overflows from oversized payloads like 8000 repeated characters.

prevent

Restricts the amount and characteristics of information inputs, blocking excessively large payloads that trigger the buffer overflow DoS.

prevent

Implements denial-of-service protections to limit the effects of resource exhaustion attacks causing application crashes.

References