CVE-2021-47875
Published: 21 January 2026
Summary
CVE-2021-47875 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Geogebra (inferred from references). Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-47875 is a denial of service vulnerability in GeoGebra CAS Calculator version 6.0.631.0, stemming from a buffer overflow condition classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The issue allows attackers to crash the application by generating a payload consisting of 8000 repeated characters and pasting it into the calculator's input field. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential impacts on confidentiality, integrity, and availability.
The vulnerability can be exploited by any remote attacker with no privileges or user interaction required, according to the CVSS vector, though the described attack involves pasting a specially crafted input. Successful exploitation triggers an application crash, resulting in a denial of service, with the high CVSS scores suggesting broader potential for data exposure or manipulation despite the primary DoS effect.
Advisories and references, including an exploit on Exploit-DB (https://www.exploit-db.com/exploits/49655), the official GeoGebra site (https://www.geogebra.org), and a VulnCheck advisory (https://www.vulncheck.com/advisories/geogebra-cas-calculator-denial-of-service), document the issue but do not specify patches or detailed mitigations in the available information. Security practitioners should verify updates from GeoGebra and avoid unpatched versions of the calculator.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3615
Vulnerability details
GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator's input field…
more
to trigger an application crash.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in local calculator input directly enables application crash for Endpoint DoS via exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly validates and sanitizes user inputs to the calculator field, preventing buffer overflows from oversized payloads like 8000 repeated characters.
Restricts the amount and characteristics of information inputs, blocking excessively large payloads that trigger the buffer overflow DoS.
Implements denial-of-service protections to limit the effects of resource exhaustion attacks causing application crashes.