libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.
Conclusion & alert: CVE-2021-33913 is rated High Exploit Risk (77/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.35%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2025-11-21 | 14.15% | 1.35% | -12.80% |
| 2 | 2025-11-18 | 1.35% | 14.15% | +12.80% |
| 3 | 2025-06-28 | — | 1.35% | — |
Full EPSS history (26 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
| 9.3 | 2.0 | HIGH |
|
8.6 | 10.0 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2021-33913: 1 source package rows (libspf2); 15 state rows across 8 repos (3.12-main, 3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 8. | https://security.alpinelinux.org/vuln/CVE-2021-33913 |
debian
|
not yet assigned | CVE-2021-33913 not yet assigned priority: Debian including 1 source packages (libspf2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-33913 |
gentoo
|
normal | CVE-2021-33913: 1 GLSA(s) (202401-22), 1 atom(s) (mail-filter/libspf2); latest impact normal. | https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2021-33913 |
ubuntu
|
medium | CVE-2021-33913 medium priority: Ubuntu including 1 source packages (libspf2), 11 status rows across 11 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, upstream, xenial): not-affected 4, ignored 3, released 3, needs-triage 1. | https://ubuntu.com/security/CVE-2021-33913 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| libspf2_project | libspf2 | < 1.2.11 | cpe:2.3:a:libspf2_project:libspf2:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/shevek/libspf2/tree/8131fe140704eaae695e76b5cd09e39bd1dd220b | Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/01/msg00015.html | Mailing List Third Party Advisory |
| https://nathanielbennett.com/blog/libspf2-cve-jan-2022-disclosure | Exploit Third Party Advisory |
| https://security.gentoo.org/glsa/202401-22 |