CVE-2021-42388
CVE-2021-42388 is a high-severity vulnerability in Clickhouse with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-125.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- CVSS v2: 5.5
- EPSS exploit prediction: 2% (72nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-125
- Affected product: Clickhouse
- Published:
- Last modified:
Description
Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.
Frequently asked questions
- What is CVE-2021-42388?
- Heap out-of-bounds read in Clickhouse's LZ4 compression codec when parsing a malicious query. As part of the LZ4::decompressImpl() loop, a 16-bit unsigned user-supplied value ('offset') is read from the compressed data. The offset is later used in the length of a copy operation, without checking the lower bounds of the source of the copy operation.
- How severe is CVE-2021-42388?
- CVE-2021-42388 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability high.
- Is CVE-2021-42388 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (72nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-42388?
- CVE-2021-42388 primarily affects Clickhouse. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-42388?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-42388 published?
- CVE-2021-42388 was published on 2022-03-14 and last updated on 2026-06-17.
References
- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms
- https://lists.debian.org/debian-lts-announce/2022/11/msg00002.html
Affected products (2)
- cpe:2.3:a:clickhouse:clickhouse:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Clickhouse
- CVE-2019-16535 — Critical (CVSS 9.8): In all versions of ClickHouse before 19.14, an OOB read, OOB write and integer underflow in decompression algorithms…
- CVE-2018-14671 — Critical (CVSS 9.8): In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a…
- CVE-2018-14670 — Critical (CVSS 9.8): Incorrect configuration in deb package in ClickHouse before 1.1.54131 could lead to unauthorized use of the database.
- CVE-2019-16536 — High (CVSS 8.8): Stack overflow leading to DoS can be triggered by a malicious authenticated client in Clickhouse before 19.14.3.3.
- CVE-2021-43305 — High (CVSS 8.8): Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification…
- CVE-2021-43304 — High (CVSS 8.8): Heap buffer overflow in Clickhouse's LZ4 compression codec when parsing a malicious query. There is no verification…
All CVEs affecting Clickhouse →
Other CWE-125 (Out-of-bounds Read) vulnerabilities
- CVE-2026-24826 — Critical (CVSS 10.0): Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read,…
- CVE-2024-22004 — Critical (CVSS 10.0): Due to length check, an attacker with privilege access on a Linux Nonsecure operating system can trigger a…
- CVE-2021-41556 — Critical (CVSS 10.0): sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that…
- CVE-2021-21777 — Critical (CVSS 10.0): An information disclosure vulnerability exists in the Ethernet/IP UDP handler functionality of EIP Stack Group OpENer…
- CVE-2017-14451 — Critical (CVSS 10.0): An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A…
- CVE-2013-0767 — Critical (CVSS 10.0): The nsSVGPathElement::GetPathLengthScale function in Mozilla Firefox before 18.0, Firefox ESR 10.x before 10.0.12 and…