CVE-2021-42694: Code Injection

Published Nov 1, 2021
·
Updated

DISPUTED An issue was discovered in the character definitions of the Unicode Specification through 14.0. The specification allows an adversary to produce source code identifiers such as function names using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. NOTE: the Unicode Consortium offers the following alternative approach to presenting this concern. An issue is noted in the nature of international text that can affect applications that implement support for The Unicode Standard (all versions). Unless mitigated, an adversary could produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier. In this way, an adversary could inject adversarial identifier definitions in upstream software that are not detected by human reviewers and are invoked deceptively in downstream software. The Unicode Consortium has documented this class of security vulnerability in its document, Unicode Technical Report #36, Unicode Security Considerations. The Unicode Consortium also provides guidance on mitigations for this class of issues in Unicode Technical Standard #39, Unicode Security Mechanisms.

Affected Software

1 affected component
Unicode Unicode<14.0.0

Event History

Nov 1, 2021
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Disputed
04:15 AM
Data Sourced
via NVD·04:15 AM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-42694?

CVE-2021-42694 is a vulnerability discovered in the character definitions of the Unicode Specification through version 14.0.

2

What is the severity of CVE-2021-42694?

The severity of CVE-2021-42694 is high, with a severity value of 8.3.

3

How does CVE-2021-42694 affect Unicode?

CVE-2021-42694 allows an adversary to produce source code identifiers using visually identical homoglyphs, which can be leveraged for malicious purposes.

4

What is the affected software of CVE-2021-42694?

The affected software is Unicode Specification up to version 14.0.

5

How can I mitigate the vulnerability in CVE-2021-42694?

There are currently no known mitigation strategies for CVE-2021-42694. It is advisable to monitor for vendor patches and updates.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2021-42694 - Code Injection - SecAlerts