Search for vulnerabilities
Vulnerability details: VCID-4kmk-bhgz-53hp
Vulnerability ID VCID-4kmk-bhgz-53hp
Aliases CVE-2021-3521
Summary There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.
Status Published
Exploitability 0.5
Weighted Severity 4.2
Risk 2.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-347 Improper Verification of Cryptographic Signature
System Score Found at
cvssv3 4.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3521.json
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
epss 0.00028 https://api.first.org/data/v1/epss?cve=CVE-2021-3521
cvssv3.1 4.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 4.7 https://nvd.nist.gov/vuln/detail/CVE-2021-3521
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3521.json
https://access.redhat.com/security/cve/CVE-2021-3521
https://api.first.org/data/v1/epss?cve=CVE-2021-3521
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3521
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rpm-software-management/rpm/commit/bd36c5dc9fb6d90c46fbfed8c2d67516fc571ec8
https://github.com/rpm-software-management/rpm/pull/1795/
https://security.gentoo.org/glsa/202210-22
1014723 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014723
1941098 https://bugzilla.redhat.com/show_bug.cgi?id=1941098
cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:rpm:rpm:*:*:*:*:*:*:*:*
CVE-2021-3521 https://nvd.nist.gov/vuln/detail/CVE-2021-3521
RHSA-2022:0254 https://access.redhat.com/errata/RHSA-2022:0254
RHSA-2022:0368 https://access.redhat.com/errata/RHSA-2022:0368
RHSA-2022:0634 https://access.redhat.com/errata/RHSA-2022:0634
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3521.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-3521
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02538
EPSS Score 0.00016
Published At Sept. 9, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:32:43.802586+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.21/community.json 37.0.0