The firewire subsystem in the Linux kernel through 5.14.13 has a buffer overflow related to drivers/media/firewire/firedtv-avc.c and drivers/media/firewire/firedtv-ci.c, because avc_ca_pmt mishandles bounds checking.
Conclusion & alert: CVE-2021-42739 is rated Low Risk (39.4/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.44%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.10% | 0.44% | +0.34% |
| 2 | 2026-03-15 | 0.04% | 0.10% | +0.06% |
| 3 | 2025-11-21 | — | 0.04% | — |
Full EPSS history (18 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.7 | 3.1 | MEDIUM |
|
0.8 | 5.9 | [email protected] |
| 4.6 | 2.0 | MEDIUM |
|
3.9 | 6.4 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2021-42739 not yet assigned priority: Debian including 1 source packages (linux), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2021-42739 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2021-42739 |
suse
|
high | — | https://www.suse.com/security/cve/CVE-2021-42739/ |
ubuntu
|
medium | CVE-2021-42739 medium priority: Ubuntu including 167 source packages (linux, linux-allwinner, …), 2101 status rows across 15 suites (bionic, focal, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): DNE 1627, released 221, not-affected 194, ignored 59. | https://ubuntu.com/security/CVE-2021-42739 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| linux | linux_kernel | <= 5.14.13 | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 33 | cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
| fedoraproject | fedora | 34 | cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| debian | debian_linux | 9.0 | cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
| starwindsoftware | starwind_san_\&_nas | v8r12 | cpe:2.3:a:starwindsoftware:starwind_san_\&_nas:v8r12:*:*:*:*:*:*:* |
| starwindsoftware | starwind_virtual_san | v8r13 | cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8r13:14338:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_binding_support_function | 22.1.3 | cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.1.3:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_network_exposure_function | 22.1.1 | cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function:22.1.1:*:*:*:*:*:*:* |
| oracle | communications_cloud_native_core_policy | 22.2.0 | cpe:2.3:a:oracle:communications_cloud_native_core_policy:22.2.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1951739 | Issue Tracking Mitigation Third Party Advisory |
| https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=35d2969ea3c7d32aee78066b1f3cf61a0d935a4e | |
| https://lore.kernel.org/linux-media/YHaulytonFcW+lyZ%40mwanda/ | |
| https://seclists.org/oss-sec/2021/q2/46 | |
| https://www.oracle.com/security-alerts/cpujul2022.html | Patch Third Party Advisory |
| https://www.starwindsoftware.com/security/sw-20220804-0001/ | Third Party Advisory |