CVE-2021-30639 | DoS after non-blocking IO error

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

Published: 2021-07-12 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2021-30639 is rated High Risk (67.6/100): CVSS High severity, with high exploitation likelihood (EPSS 6.89%, 93th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +6.47% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-30639

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.42% 6.89% +6.47%
2 2026-03-28 0.71% 0.42% -0.29%
3 2026-03-17 0.71%

Full EPSS history (31 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-30639

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.5 3.1 HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 3.6 [email protected]
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 2.9 [email protected]

Weakness enumeration for CVE-2021-30639

GitHub Security Advisory for CVE-2021-30639

GHSA-44qp-qhfv-c7f6 · Severity: high · Ecosystem: maven — Improper Handling of Exceptional Conditions in Apache Tomcat

OS Trackers for CVE-2021-30639

vendor priority summary link
debian unimportant CVE-2021-30639 unimportant priority: Debian including 1 source packages (tomcat9), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2021-30639
gentoo low CVE-2021-30639: 1 GLSA(s) (202208-34), 1 atom(s) (www-servers/tomcat); latest impact low. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-30639
redhat high https://access.redhat.com/security/cve/CVE-2021-30639
ubuntu medium CVE-2021-30639 medium priority: Ubuntu including 4 source packages (tomcat6, tomcat7, tomcat8, tomcat9), 60 status rows across 15 suites (bionic, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, trusty, upstream, xenial): DNE 37, not-affected 14, ignored 7, released 2. https://ubuntu.com/security/CVE-2021-30639

Affected software / configurations for CVE-2021-30639

Vendor Product Version Raw CPE
apache tomcat 8.5.64 cpe:2.3:a:apache:tomcat:8.5.64:*:*:*:*:*:*:*
apache tomcat 9.0.44 cpe:2.3:a:apache:tomcat:9.0.44:*:*:*:*:*:*:*
apache tomcat 10.0.3 cpe:2.3:a:apache:tomcat:10.0.3:*:*:*:*:*:*:*
apache tomcat 10.0.4 cpe:2.3:a:apache:tomcat:10.0.4:*:*:*:*:*:*:*
mcafee epolicy_orchestrator < 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:*:*:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_10:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_4:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_5:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_6:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_7:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_8:*:*:*:*:*:*
mcafee epolicy_orchestrator 5.10.0 cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_9:*:*:*:*:*:*
oracle big_data_spatial_and_graph < 23.1 cpe:2.3:a:oracle:big_data_spatial_and_graph:*:*:*:*:*:*:*:*

References for CVE-2021-30639

cvelogic Threat Intelligence