Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-9kc8-k5kc-u7em
Vulnerability ID VCID-9kc8-k5kc-u7em
Aliases CVE-2021-29991
Summary Firefox incorrectly accepted a newline in a HTTP/3 header, interpreting it as two separate headers. This allowed for a header splitting attack against servers using HTTP/3.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29991.json
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2021-29991
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
archlinux High https://security.archlinux.org/AVG-2291
archlinux High https://security.archlinux.org/AVG-2301
generic_textual high https://www.mozilla.org/en-US/security/advisories/mfsa2021-37
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29991.json
https://api.first.org/data/v1/epss?cve=CVE-2021-29991
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1995267 https://bugzilla.redhat.com/show_bug.cgi?id=1995267
AVG-2291 https://security.archlinux.org/AVG-2291
AVG-2301 https://security.archlinux.org/AVG-2301
mfsa2021-37 https://www.mozilla.org/en-US/security/advisories/mfsa2021-37
USN-5047-1 https://usn.ubuntu.com/5047-1/
USN-5248-1 https://usn.ubuntu.com/5248-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-29991.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.56725
EPSS Score 0.00341
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:17:13.186561+00:00 Mozilla Importer Import https://github.com/mozilla/foundation-security-advisories/blob/master/announce/2021/mfsa2021-37.yml 38.0.0