{"id":"UBUNTU-CVE-2021-21404","details":"Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server `strelaysrv` can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.","modified":"2026-03-25T18:29:46.399505Z","published":"2021-04-06T20:15:00Z","upstream":["CVE-2021-21404"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2021-21404"},{"type":"REPORT","url":"https://github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97"},{"type":"REPORT","url":"https://github.com/syncthing/syncthing/releases/tag/v1.15.0"},{"type":"REPORT","url":"https://github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5h"},{"type":"REPORT","url":"https://pkg.go.dev/github.com/syncthing/syncthing"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2021-21404"}],"affected":[{"package":{"name":"syncthing","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/syncthing@0.14.43+ds1-6?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["0.14.36+ds1-1","0.14.38+ds1-1","0.14.43+ds1-5","0.14.43+ds1-6"],"ecosystem_specific":{"binaries":[{"binary_version":"0.14.43+ds1-6","binary_name":"golang-github-syncthing-syncthing-dev"},{"binary_version":"0.14.43+ds1-6","binary_name":"syncthing"},{"binary_version":"0.14.43+ds1-6","binary_name":"syncthing-discosrv"},{"binary_version":"0.14.43+ds1-6","binary_name":"syncthing-relaysrv"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21404.json"}},{"package":{"name":"syncthing","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/syncthing@1.1.4~ds1-4ubuntu1.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.1.4~ds1-4","1.1.4~ds1-4ubuntu1","1.1.4~ds1-4ubuntu1.1","1.1.4~ds1-4ubuntu1.2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.1.4~ds1-4ubuntu1.2","binary_name":"golang-github-syncthing-syncthing-dev"},{"binary_version":"1.1.4~ds1-4ubuntu1.2","binary_name":"syncthing"},{"binary_version":"1.1.4~ds1-4ubuntu1.2","binary_name":"syncthing-discosrv"},{"binary_version":"1.1.4~ds1-4ubuntu1.2","binary_name":"syncthing-relaysrv"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21404.json"}},{"package":{"name":"syncthing","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/syncthing@1.18.0~ds1-3ubuntu0.3+esm2?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.12.1~ds1-4","1.18.0~ds1-3","1.18.0~ds1-3ubuntu0.1","1.18.0~ds1-3ubuntu0.2","1.18.0~ds1-3ubuntu0.3","1.18.0~ds1-3ubuntu0.3+esm1","1.18.0~ds1-3ubuntu0.3+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.18.0~ds1-3ubuntu0.3+esm2","binary_name":"golang-github-syncthing-syncthing-dev"},{"binary_version":"1.18.0~ds1-3ubuntu0.3+esm2","binary_name":"syncthing"},{"binary_version":"1.18.0~ds1-3ubuntu0.3+esm2","binary_name":"syncthing-discosrv"},{"binary_version":"1.18.0~ds1-3ubuntu0.3+esm2","binary_name":"syncthing-relaysrv"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21404.json"}},{"package":{"name":"syncthing","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/syncthing@1.27.2~ds4-1ubuntu0.24.04.3+esm2?arch=source&distro=esm-apps/noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.19.2~ds1-3","1.27.2~ds4-1","1.27.2~ds4-1ubuntu0.24.04.1","1.27.2~ds4-1ubuntu0.24.04.2","1.27.2~ds4-1ubuntu0.24.04.2+esm1","1.27.2~ds4-1ubuntu0.24.04.3","1.27.2~ds4-1ubuntu0.24.04.3+esm1","1.27.2~ds4-1ubuntu0.24.04.3+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.27.2~ds4-1ubuntu0.24.04.3+esm2","binary_name":"golang-github-syncthing-syncthing-dev"},{"binary_version":"1.27.2~ds4-1ubuntu0.24.04.3+esm2","binary_name":"syncthing"},{"binary_version":"1.27.2~ds4-1ubuntu0.24.04.3+esm2","binary_name":"syncthing-discosrv"},{"binary_version":"1.27.2~ds4-1ubuntu0.24.04.3+esm2","binary_name":"syncthing-relaysrv"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21404.json"}},{"package":{"name":"syncthing","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/syncthing@1.29.5~ds1-2?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.29.2~ds1-1","1.29.5~ds1-2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.29.5~ds1-2","binary_name":"golang-github-syncthing-syncthing-dev"},{"binary_version":"1.29.5~ds1-2","binary_name":"syncthing"},{"binary_version":"1.29.5~ds1-2","binary_name":"syncthing-discosrv"},{"binary_version":"1.29.5~ds1-2","binary_name":"syncthing-relaysrv"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21404.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}