CVE-2021-34423 | Buffer overflow in Zoom client and other products

A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115, Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115, Zoom On-Premise Recording Connector before version 5.1.0.65.20211116, Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117, Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.

Published: 2021-11-24 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2021-34423 is rated High Risk (72.3/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 3.21%). Core evidence: EPSS rose +2.82% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2021-34423

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.39% 3.21% +2.82%
2 2026-01-14 0.98% 0.39% -0.60%
3 2025-12-23 0.98%

Full EPSS history (22 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2021-34423

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 5.9 [email protected]
7.3 3.0 HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L)
Might cause slowdowns, glitches, or partial disruption—not a full brick.
3.9 3.4 [email protected]
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
10.0 6.4 [email protected]

Weakness enumeration for CVE-2021-34423

Affected software / configurations for CVE-2021-34423

Vendor Product Version Raw CPE
zoom meetings < 5.8.3 cpe:2.3:a:zoom:meetings:*:*:*:*:*:*:*:*
zoom meetings < 5.8.4 cpe:2.3:a:zoom:meetings:*:*:*:*:*:*:*:*
zoom meetings_for_blackberry < 5.8.1 cpe:2.3:a:zoom:meetings_for_blackberry:*:*:*:*:*:*:*:*
zoom meetings_for_intune < 5.8.4 cpe:2.3:a:zoom:meetings_for_intune:*:*:*:*:*:*:*:*
zoom meetings_for_chrome_os < 5.0.1 cpe:2.3:a:zoom:meetings_for_chrome_os:*:*:*:*:*:*:*:*
zoom rooms_for_conference_rooms < 5.8.3 cpe:2.3:a:zoom:rooms_for_conference_rooms:*:*:*:*:*:*:*:*
zoom controllers_for_zoom_rooms < 5.8.3 cpe:2.3:a:zoom:controllers_for_zoom_rooms:*:*:*:*:*:*:*:*
zoom virtual_desktop_infrastructure < 5.8.4 cpe:2.3:a:zoom:virtual_desktop_infrastructure:*:*:*:*:*:*:*:*
zoom android_meeting_sdk < 5.7.6.1922 cpe:2.3:a:zoom:android_meeting_sdk:*:*:*:*:*:*:*:*
zoom iphone_os_meeting_sdk < 5.7.6.1082 cpe:2.3:a:zoom:iphone_os_meeting_sdk:*:*:*:*:*:*:*:*
zoom macos_meeting_sdk < 5.7.6.1340 cpe:2.3:a:zoom:macos_meeting_sdk:*:*:*:*:*:*:*:*
zoom windows_meeting_sdk < 5.7.6.1081 cpe:2.3:a:zoom:windows_meeting_sdk:*:*:*:*:*:*:*:*
zoom android_video_sdk < 1.1.2 cpe:2.3:a:zoom:android_video_sdk:*:*:*:*:*:*:*:*
zoom iphone_os_video_sdk < 1.1.2 cpe:2.3:a:zoom:iphone_os_video_sdk:*:*:*:*:*:*:*:*
zoom macos_video_sdk < 1.1.2 cpe:2.3:a:zoom:macos_video_sdk:*:*:*:*:*:*:*:*
zoom windows_video_sdk < 1.1.2 cpe:2.3:a:zoom:windows_video_sdk:*:*:*:*:*:*:*:*
zoom hybrid_mmr < 4.6.20211116.131 cpe:2.3:a:zoom:hybrid_mmr:*:*:*:*:*:*:*:*
zoom hybrid_zproxy < 1.0.1058.20211116 cpe:2.3:a:zoom:hybrid_zproxy:*:*:*:*:*:*:*:*
zoom zoom_on-premise_meeting_connector_controller < 4.8.12.20211115 cpe:2.3:a:zoom:zoom_on-premise_meeting_connector_controller:*:*:*:*:*:*:*:*
zoom zoom_on-premise_meeting_connector_mmr < 4.8.12.20211115 cpe:2.3:a:zoom:zoom_on-premise_meeting_connector_mmr:*:*:*:*:*:*:*:*
zoom zoom_on-premise_recording_connector < 5.1.0.65.20211116 cpe:2.3:a:zoom:zoom_on-premise_recording_connector:*:*:*:*:*:*:*:*
zoom zoom_on-premise_virtual_room_connector < 4.4.7266.20211117 cpe:2.3:a:zoom:zoom_on-premise_virtual_room_connector:*:*:*:*:*:*:*:*
zoom zoom_on-premise_virtual_room_connector_load_balancer < 2.5.5692.20211117 cpe:2.3:a:zoom:zoom_on-premise_virtual_room_connector_load_balancer:*:*:*:*:*:*:*:*
zoom vdi_azure_virtual_desktop < 5.8.4.21112 cpe:2.3:a:zoom:vdi_azure_virtual_desktop:*:*:*:*:*:*:*:*
zoom vdi_citrix < 5.8.4.21112 cpe:2.3:a:zoom:vdi_citrix:*:*:*:*:*:*:*:*
zoom vdi_vmware < 5.8.4.21112 cpe:2.3:a:zoom:vdi_vmware:*:*:*:*:*:*:*:*
zoom vdi_windows_meeting_client < 5.8.4 cpe:2.3:a:zoom:vdi_windows_meeting_client:*:*:*:*:*:*:*:*

References for CVE-2021-34423

cvelogic Threat Intelligence