CVE-2021-21723

Vulnerability

A denial-of-service vulnerability exists in certain ZTE ZXR10 routers due to improper memory release handling in specific scenarios. Affected products include ZXR10 9904, 9908, 9916, 9904-S, and 9908-S running all versions up to V1.01.10.B12 [1]. The vulnerability resides in the network processing code, which can be triggered without authentication or special configuration beyond having the device reachable on the network.

Exploitation

A remote attacker can exploit this vulnerability by sending a series of crafted network operations (not further specified in the reference) to the targeted device. No authentication or prior access is required, and the attack vector is over the network with low complexity [1]. The exploitation steps involve performing these operations repeatedly to cause memory to be allocated but never properly freed.

Impact

Successful exploitation leads to a progressive memory leak on the device, consuming available memory until the router becomes unresponsive or crashes. The impact is a denial of service (availability loss) affecting the device itself, with no confidentiality or integrity impact [1]. The scope is changed, meaning the vulnerable component impacts resources beyond its security scope, as the device becomes unavailable for legitimate traffic handling.

Mitigation

ZTE has released fixed version V1.01.10.B13 for all affected models [1]. Users should upgrade to this version or later to remediate the vulnerability. No workarounds are documented in the reference. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.