CVE-2021-42340
7.5 HIGHThe fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introd...
Published: 2021-10-14 · Last updated: 2026-06-17
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-772
Affected products
| Vendor | Product |
|---|---|
| apache | agile_engineering_data_management, big_data_spatial_and_graph, communications_diameter_signaling_router |
| debian | agile_engineering_data_management, big_data_spatial_and_graph, communications_diameter_signaling_router |
| netapp | agile_engineering_data_management, big_data_spatial_and_graph, communications_diameter_signaling_router |
| oracle | agile_engineering_data_management, big_data_spatial_and_graph, communications_diameter_signaling_router |
Description
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2021-42340
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10379
- [Other]https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
- [Vendor advisory]https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
- [Other]https://security.gentoo.org/glsa/202208-34
- [Other]https://security.netapp.com/advisory/ntap-20211104-0001/
- [Other]https://www.debian.org/security/2021/dsa-5009
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Other]https://kc.mcafee.com/corporate/index?page=content&id=SB10379
- [Other]https://lists.apache.org/thread.html/r8097a2d1550aa78e585fc77e602b9046e6d4099d8d132497c5387784%40%3Ccommits.myfaces.apache.org%3E
- [Vendor advisory]https://lists.apache.org/thread.html/r83a35be60f06aca2065f188ee542b9099695d57ced2e70e0885f905c%40%3Cannounce.tomcat.apache.org%3E
- [Other]https://security.gentoo.org/glsa/202208-34
- [Other]https://security.netapp.com/advisory/ntap-20211104-0001/
- [Other]https://www.debian.org/security/2021/dsa-5009
- [Patch]https://www.oracle.com/security-alerts/cpuapr2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujan2022.html
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
Related CVEs
Same vendor
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
- CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
Same CWE
- CVE-2026-45536 — Netty is a network application framework for development of protocol servers and clients (4.0 MEDIUM)
- CVE-2026-45287 — OpenTelemetry-Go is the Go implementation of OpenTelemetry
- CVE-2026-9156 — Tanium addressed a denial of service vulnerability in Tanium Server (6.5 MEDIUM)
- CVE-2026-42577 — Netty is an asynchronous, event-driven network application framework (7.5 HIGH)
- CVE-2026-3104 — A specially crafted domain can be used to cause a memory leak in a BIND resolver simply by querying this domain (7.5 HIGH)