CVE-2021-40839

low

Published 2021-09-13 · Modified 2025-10-09

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

2.5

Description

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-40839

OS impact

OS	Version	Status	Fixed in
arch		affected
debian	bookworm	fixed	`1.0.6-2`
debian	bullseye	affected
debian	forky	fixed	`1.0.6-2`
debian	sid	fixed	`1.0.6-2`
debian	trixie	fixed	`1.0.6-2`

Package impact

Ecosystem	Package	Vulnerable	Fixed
PyPI	rencode	`<=1.0.6`
PyPI	rencode	`<572ff74586d9b1daab904c6f7f7009ce0143bb75`	`572ff74586d9b1daab904c6f7f7009ce0143bb75`

References

https://nvd.nist.gov/vuln/detail/CVE-2021-40839
https://github.com/aresch/rencode/pull/29
https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
https://github.com/advisories/GHSA-gh8j-2pgf-x458
https://github.com/aresch/rencode
https://github.com/pypa/advisory-database/tree/main/vulns/rencode/PYSEC-2021-345.yaml
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMVQRPDVSVZNGGX57CFKCYT3DEYO4QB6
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY
https://pypi.org/project/rencode/#history
https://seclists.org/fulldisclosure/2021/Sep/16
https://security.netapp.com/advisory/ntap-20211008-0001
https://security-tracker.debian.org/tracker/CVE-2021-40839

Verify integrity in audit chain (admin only). AS-IS.