Wiz
Vulnerability DatabaseCVE-2021-43527

CVE-2021-43527
NixOS vulnerability analysis and mitigation

Overview

CVE-2021-43527 affects Network Security Services (NSS) versions prior to 3.73 or 3.68.1 ESR. The vulnerability is a heap overflow that occurs when handling DER-encoded DSA or RSA-PSS signatures. Applications using NSS for handling signatures encoded within CMS, S/MIME, PKCS #7, or PKCS #12 are likely to be impacted. The vulnerability was discovered in December 2021 (Mozilla Security, NVD).

Technical details

The vulnerability is a memory corruption flaw in the way NSS verifies certificates. The issue occurs in the decodeECorDsaSignature function when processing DER-encoded DSA or RSA-PSS signatures. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Red Hat, Hacker News).

Impact

A successful exploit could lead to remote code execution when a client application compiled with NSS tries to initiate an SSL/TLS connection to a malicious server. Similarly, server applications compiled with NSS that process client certificates can be triggered by receiving a malicious certificate. The vulnerability affects both server applications (like Red Hat Identity Management, Red Hat Directory Server) and client applications using the NSS crypto library (Red Hat).

Mitigation and workarounds

The primary mitigation is to update to NSS version 3.73 or 3.68.1 ESR. There are no effective workarounds, and customers should update to fixed packages as soon as they become available. Various vendors have released patches for their affected products, including Red Hat Enterprise Linux, Oracle, and others (Red Hat).

Community reactions

The vulnerability received significant attention due to its critical severity and wide impact across multiple products. Security researchers noted that the vulnerability had existed since June 2012 and survived multiple code refactoring cycles. Google Project Zero researcher Tavis Ormandy, who discovered the vulnerability, described it as a 'striking' example of how even well-maintained C/C++ code can contain serious flaws (Hacker News).

Additional resources

SourceThis report was generated using AI

Related NixOS vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-69264CRITICAL9.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-69263HIGH8.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-69262HIGH7.8
  • JavaScriptJavaScript
  • pnpm
NoYesJan 07, 2026
CVE-2025-20807MEDIUM6.7
  • NixOSNixOS
  • android
NoNoJan 06, 2026
CVE-2026-21885MEDIUM6.5
  • NixOSNixOS
  • miniflux
NoYesJan 08, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo