Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-dtvw-92bk-wbcf
Vulnerability ID VCID-dtvw-92bk-wbcf
Aliases CVE-2021-30639
GHSA-44qp-qhfv-c7f6
Summary A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-755 Improper Handling of Exceptional Conditions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-459 Incomplete Cleanup
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30639.json
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
epss 0.00422 https://api.first.org/data/v1/epss?cve=CVE-2021-30639
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-44qp-qhfv-c7f6
cvssv3.1 7.5 https://kc.mcafee.com/corporate/index?page=content&id=SB10366
generic_textual HIGH https://kc.mcafee.com/corporate/index?page=content&id=SB10366
cvssv3.1 7.5 https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E
cvssv3.1 7.5 https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
generic_textual HIGH https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-30639
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-30639
cvssv3.1 7.5 https://security.gentoo.org/glsa/202208-34
generic_textual HIGH https://security.gentoo.org/glsa/202208-34
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20210827-0007
generic_textual HIGH https://security.netapp.com/advisory/ntap-20210827-0007
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpujan2022.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpujan2022.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30639.json
https://api.first.org/data/v1/epss?cve=CVE-2021-30639
https://github.com/apache/tomcat/commit/411caf29ac1c16e6ac291b6e5543b2371dbd25e2
https://github.com/apache/tomcat/commit/8ece47c4a9fb9349e8862c84358a4dd23c643a24
https://github.com/apache/tomcat/commit/b59099e4ca501a039510334ebe1024971cd6f959
https://kc.mcafee.com/corporate/index?page=content&id=SB10366
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
https://security.gentoo.org/glsa/202208-34
https://security.netapp.com/advisory/ntap-20210827-0007
https://security.netapp.com/advisory/ntap-20210827-0007/
https://www.oracle.com/security-alerts/cpujan2022.html
1981540 https://bugzilla.redhat.com/show_bug.cgi?id=1981540
CVE-2021-30639 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30639
CVE-2021-30639 https://nvd.nist.gov/vuln/detail/CVE-2021-30639
GHSA-44qp-qhfv-c7f6 https://github.com/advisories/GHSA-44qp-qhfv-c7f6
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30639.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://kc.mcafee.com/corporate/index?page=content&id=SB10366
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cdev.tomcat.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf@%3Cusers.tomcat.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-30639
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.gentoo.org/glsa/202208-34
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20210827-0007
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.oracle.com/security-alerts/cpujan2022.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.61938
EPSS Score 0.00422
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:06.285908+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-10.html 38.0.0