Crash due to malformed relay protocol message
Description
Syncthing is a continuous file synchronization program. In Syncthing before version 1.15.0, the relay server strelaysrv can be caused to crash and exit by sending a relay message with a negative length field. Similarly, Syncthing itself can crash for the same reason if given a malformed message from a malicious relay server when attempting to join the relay. Relay joins are essentially random (from a subset of low latency relays) and Syncthing will by default restart when crashing, at which point it's likely to pick another non-malicious relay. This flaw is fixed in version 1.15.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/syncthing/syncthingGo | < 1.15.0 | 1.15.0 |
Affected products
6- osv-coords5 versionspkg:bitnami/syncthingpkg:golang/github.com/syncthing/syncthingpkg:rpm/opensuse/syncthing&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/syncthing&distro=openSUSE%20Tumbleweedpkg:rpm/suse/syncthing&distro=SUSE%20Package%20Hub%2015%20SP2
< 1.15.0+ 4 more
- (no CPE)range: < 1.15.0
- (no CPE)range: < 1.15.0
- (no CPE)range: < 1.15.1-lp152.2.3.1
- (no CPE)range: < 1.18.2-2.1
- (no CPE)range: < 1.15.1-bp152.2.3.1
Patches
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-x462-89pf-6r5hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21404ghsaADVISORY
- github.com/syncthing/syncthing/commit/fb4fdaf4c0a79c22cad000c42ac1394e3ccb6a97ghsax_refsource_MISCWEB
- github.com/syncthing/syncthing/releases/tag/v1.15.0ghsax_refsource_MISCWEB
- github.com/syncthing/syncthing/security/advisories/GHSA-x462-89pf-6r5hghsax_refsource_CONFIRMWEB
- pkg.go.dev/github.com/syncthing/syncthingghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.