CVE-2021-4048 [Critical] | Out-of-bounds Read in Lapack

An out-of-bounds read flaw was found in the CLARRV, DLARRV, SLARRV, and ZLARRV functions in lapack through version 3.10.0, as also used in OpenBLAS before version 0.3.18. Specially crafted inputs passed to these functions could cause an application using lapack to crash or possibly disclose portions of its memory.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-01-20	0.24%	0.36%	+0.13%
2	2026-01-02	0.36%	0.24%	-0.13%
3	2025-11-21	—	0.36%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-01-20

0.24%

0.36%

+0.13%

2026-01-02

0.36%

0.24%

-0.13%

2025-11-21

—

0.36%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.1	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.2	[email protected]
6.4	2.0	MEDIUM	`AV:N/AC:L/Au:N/C:P/I:N/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:P) Partial availability impact.	10.0	4.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.1

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:N): Data isn’t meaningfully altered or forged.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.2

[email protected]

6.4

2.0

MEDIUM

AV:N/AC:L/Au:N/C:P/I:N/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

4.9

[email protected]

OS Trackers for CVE-2021-4048

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2021-4048 not yet assigned priority: Debian including 2 source packages (lapack, openblas), 10 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 8, open 2.	https://security-tracker.debian.org/tracker/CVE-2021-4048
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2021-4048
`suse`	medium	CVE-2021-4048 severity moderate: SUSE including 133 source package names (0.1.6-1.2:libblas3-3.5.0-4.6.1, 0.1.6-1.2:liblapack3-3.5.0-4.6.1, …), 230 product×package rows across 33 product lines (Container containers/lmcache-lmstack-router, Container containers/lmcache-vllm-openai, … (33 product lines)): Fixed 215, Known Not Affected 15.	https://www.suse.com/security/cve/CVE-2021-4048/
`ubuntu`	low	CVE-2021-4048 low priority: Ubuntu including 2 source packages (lapack, openblas), 30 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 17, ignored 5, needed 4, needs-triage 2, released 2.	https://ubuntu.com/security/CVE-2021-4048

Affected software / configurations for CVE-2021-4048

Vendor	Product	Version	Raw CPE
lapack_project	lapack	<= 3.10.0	cpe:2.3:a:lapack_project:lapack::::::::
openblas_project	openblas	< 0.3.18	cpe:2.3:a:openblas_project:openblas::::::::
julialang	julia	<= 1.6.3	cpe:2.3:a:julialang:julia::::::::
julialang	julia	1.7.0	cpe:2.3:a:julialang:julia:1.7.0:beta1::::::
julialang	julia	1.7.0	cpe:2.3:a:julialang:julia:1.7.0:beta2::::::
julialang	julia	1.7.0	cpe:2.3:a:julialang:julia:1.7.0:beta3::::::
julialang	julia	1.7.0	cpe:2.3:a:julialang:julia:1.7.0:beta4::::::
julialang	julia	1.7.0	cpe:2.3:a:julialang:julia:1.7.0:rc1::::::
redhat	ceph_storage	2.0	cpe:2.3:a:redhat:ceph_storage:2.0:::::::*
redhat	ceph_storage	3.0	cpe:2.3:a:redhat:ceph_storage:3.0:::::::*
redhat	ceph_storage	4.0	cpe:2.3:a:redhat:ceph_storage:4.0:::::::*
redhat	ceph_storage	5.0	cpe:2.3:a:redhat:ceph_storage:5.0:::::::*
redhat	openshift_container_storage	4.0	cpe:2.3:a:redhat:openshift_container_storage:4.0:::::::*
redhat	openshift_data_foundation	4.0	cpe:2.3:a:redhat:openshift_data_foundation:4.0:::::::*
redhat	enterprise_linux	8.0	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*

References for CVE-2021-4048

URL	Tags
https://github.com/JuliaLang/julia/issues/42415	Issue Tracking Patch Third Party Advisory
https://github.com/Reference-LAPACK/lapack/commit/38f3eeee3108b18158409ca2a100e6fe03754781	Patch Third Party Advisory
https://github.com/Reference-LAPACK/lapack/pull/625	Issue Tracking Patch Third Party Advisory
https://github.com/xianyi/OpenBLAS/commit/2be5ee3cca97a597f2ee2118808a2d5eacea050c	Patch Third Party Advisory
https://github.com/xianyi/OpenBLAS/commit/337b65133df174796794871b3988cd03426e6d41	Patch Third Party Advisory
https://github.com/xianyi/OpenBLAS/commit/ddb0ff5353637bb5f5ad060c9620e334c143e3d7	Patch Third Party Advisory
https://github.com/xianyi/OpenBLAS/commit/fe497efa0510466fd93578aaf9da1ad8ed4edbe7	Patch Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QFEVOCUG2UXMVMFMTU4ONJVDEHY2LW2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DROZM4M2QRKSD6FBO4BHSV2QMIRJQPHT/

URL

CVE-2021-4048

Exploit prediction scoring system (EPSS) score for CVE-2021-4048

Common vulnerability scoring system (CVSS) metrics for CVE-2021-4048

Weakness enumeration for CVE-2021-4048

OS Trackers for CVE-2021-4048

Affected software / configurations for CVE-2021-4048

References for CVE-2021-4048