CVE-2021-25217 | A buffer overrun in lease file parsing code can be used to exploit a common vulnerability shared by dhcpd and dhclient

Exp

In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches of ISC DHCP (i.e., releases in the 4.0.x series or lower and releases in the 4.3.x series) are beyond their End-of-Life (EOL) and no longer supported by ISC. From inspection it is clear that the defect is also present in releases from those series, but they have not been officially tested for the vulnerability), The outcome of encountering the defect while reading a lease that will trigger it varies, according to: the component being affected (i.e., dhclient or dhcpd) whether the package was built as a 32-bit or 64-bit binary whether the compiler flag -fstack-protection-strong was used when compiling In dhclient, ISC has not successfully reproduced the error on a 64-bit system. However, on a 32-bit system it is possible to cause dhclient to crash when reading an improper lease, which could cause network connectivity problems for an affected system due to the absence of a running DHCP client process. In dhcpd, when run in DHCPv4 or DHCPv6 mode: if the dhcpd server binary was built for a 32-bit architecture AND the -fstack-protection-strong flag was specified to the compiler, dhcpd may exit while parsing a lease file containing an objectionable lease, resulting in lack of service to clients. Additionally, the offending lease and the lease immediately following it in the lease database may be improperly deleted. if the dhcpd server binary was built for a 64-bit architecture OR if the -fstack-protection-strong compiler flag was NOT specified, the crash will not occur, but it is possible for the offending lease and the lease which immediately followed it to be improperly deleted.

Published: 2021-05-26 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2021-25217 is rated High Exploit Risk (82/100): CVSS High severity, with high exploitation likelihood (EPSS 6.12%, 92th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +5.67% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2021-25217

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2021-25217

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.45% 6.12% +5.67%
2 2026-05-09 0.30% 0.45% +0.15%
3 2026-04-08 0.30%

Full EPSS history (34 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-25217

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.4 3.1 HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 4.0 [email protected]
7.4 3.1 HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H Click to expand
Attack vector (AV:A)
Attacker has to be nearby on the network—same office, same link, that vibe—not the whole wide internet.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 2.8 4.0 [email protected]
3.3 2.0 LOW
AV:A/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:A)
Requires access to an adjacent network segment.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
 6.5 2.9 [email protected]

Weakness enumeration for CVE-2021-25217

OS Trackers for CVE-2021-25217

vendor priority summary link
alpine high CVE-2021-25217: 1 source package rows (dhcp); 10 state rows across 7 repos (3.11-main, 3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, edge-main); fixed 6, open 4. https://security.alpinelinux.org/vuln/CVE-2021-25217
debian not yet assigned CVE-2021-25217 not yet assigned priority: Debian including 1 source packages (isc-dhcp), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): resolved 4. https://security-tracker.debian.org/tracker/CVE-2021-25217
gentoo normal CVE-2021-25217: 1 GLSA(s) (202305-22), 1 atom(s) (net-misc/dhcp); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-25217
redhat high https://access.redhat.com/security/cve/CVE-2021-25217
suse high CVE-2021-25217 severity important: SUSE including 281 source package names (1.1.1.23.352:dhcp-4.3.6.P1-6.11.1, 1.1.1.23.352:dhcp-client-4.3.6.P1-6.11.1, …), 1004 product×package rows across 336 product lines (Container suse/sles/15.6/libguestfs-tools, Container suse/sles/15.7/libguestfs-tools, … (336 product lines)): Fixed 839, Known Affected 165. https://www.suse.com/security/cve/CVE-2021-25217/
ubuntu medium CVE-2021-25217 medium priority: Ubuntu including 1 source packages (isc-dhcp), 9 status rows across 9 suites (bionic, focal, groovy, hirsute, impish, jammy, trusty, upstream, xenial): released 8, needs-triage 1. https://ubuntu.com/security/CVE-2021-25217

Affected software / configurations for CVE-2021-25217

Vendor Product Version Raw CPE
isc dhcp >= 4.4.0, <= 4.4.2 cpe:2.3:a:isc:dhcp:*:*:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r10:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r10_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r10_rc1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r10b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r10rc1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11_rc1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11_rc2:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11rc1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r11rc2:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r12:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r12-p1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r12_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r12_p1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r12b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r13:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r13_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r13b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r14:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r14_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r14b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r15:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r15-p1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r15_b1:*:*:*:*:*:*
isc dhcp 4.1-esv cpe:2.3:a:isc:dhcp:4.1-esv:r16:*:*:*:*:*:*
fedoraproject fedora 33 cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
fedoraproject fedora 34 cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
debian debian_linux 9.0 cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1400_firmware < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1400_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1500_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1500_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1501_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1501_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1510_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1510_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1511_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1511_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1512_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1512_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1524_firmware < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1524_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx1536_firmware < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx1536_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_rx5000_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_rx5000_firmware:*:*:*:*:*:*:*:*
siemens ruggedcom_rox_mx5000_firmware >= 2.3.0, < 2.15.0 cpe:2.3:o:siemens:ruggedcom_rox_mx5000_firmware:*:*:*:*:*:*:*:*
netapp ontap_select_deploy_administration_utility cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
netapp solidfire_\&_hci_management_node cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
siemens sinec_ins < 1.0 cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*
siemens sinec_ins 1.0 cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*
siemens sinec_ins 1.0 cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*

References for CVE-2021-25217

URL Tags
http://www.openwall.com/lists/oss-security/2021/05/26/6 Mailing List Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-406691.pdf Patch Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf Patch Third Party Advisory
https://kb.isc.org/docs/cve-2021-25217 Exploit Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00002.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5QI4DYC7J4BGHEW3NH4XHMWTHYC36UK4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z2LB42JWIV4M4WDNXX5VGIP26FEYWKIF/
https://security.gentoo.org/glsa/202305-22
https://security.netapp.com/advisory/ntap-20220325-0011/ Third Party Advisory
cvelogic Threat Intelligence