Medium severity4.4NVD Advisory· Published Nov 11, 2021· Updated Apr 15, 2026

CVE-2021-3910

Description

OctoRPKI crashes when encountering a repository that returns an invalid ROA (just an encoded NUL (\0) character).

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/cloudflare/cfrpkiGo	< 1.4.0	1.4.0

Affected products

Cloudflare/Octorpki
cpe:2.3:a:cloudflare:octorpki:*:*:*:*:*:*:*:*
Range: <1.4.0
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Patches

a8db4e009ef2

https://github.com/cloudflare/cfrpkivia osv

76f0f7a98da0

VULN-8284: Prevent oob read on BER data containing NUL contents

https://github.com/cloudflare/cfrpkiDavid HaynesOct 20, 2021via ghsa

commit

1 file changed · +4 −0

validator/lib/ber.go+4 −0 modified

@@ -162,6 +162,10 @@ func readObject(ber []byte, offset int) (asn1Object, int, error) {
 	*/
 	// read length
 	var length int
+	// GHSA-5mxh-2qfv-4g7j: Prevent a BER w/ NUL contents from being processed
+	if len(ber) <= offset {
+		return nil, 0, errors.New("ber2der: invalid BER tag length")
+	}
 	l := ber[offset]
 	offset++
 	indefinite := false

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-5mxh-2qfv-4g7jghsaADVISORY
github.com/cloudflare/cfrpki/security/advisories/GHSA-5mxh-2qfv-4g7jnvdThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2021-3910ghsaADVISORY
www.debian.org/security/2022/dsa-5041nvdThird Party AdvisoryWEB
github.com/cloudflare/cfrpki/commit/76f0f7a98da001fa04e5bc0407c6702f91096bfaghsaWEB
github.com/cloudflare/cfrpki/releases/tag/v1.4.0ghsaWEB
pkg.go.dev/vuln/GO-2022-0251ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.286
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000