Description
Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.
Published: 2026-05-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sticky Notes Widget 3.0.6 contains a buffer overflow that triggers an application crash when an attacker pastes an excessively long character string into a note field. By generating a payload of 350,000 repeated characters and pasting it twice into a new note, the application on iOS devices will crash, rendering the widget unavailable for users. The vulnerability is identified as CWE‑789: Improper Restriction of Operations within the Bounds of a Memory Buffer.

Affected Systems

The affected product is Sticky Notes Widget version 3.0.6 from the vendor sticky-notes. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.7 reflects a high severity of this denial of service flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a very long string into the note field, implying a user‑interaction or social engineering component. While not a remote code execution vulnerability, the crash can disrupt user workflow and potentially be leveraged as a vector for more complex attacks if combined with other weaknesses. The lack of a publicly listed exploit does not diminish the importance of mitigation, especially on iOS deployments where the app may be distributed through corporate channels.

Generated by OpenCVE AI on May 16, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain a newer version of Sticky Notes Widget that resolves CVE-2021-47973 if an update is available
  • Configure the widget or the underlying platform to enforce a maximum length on note field input, rejecting strings that exceed a safe threshold
  • Monitor the application for unexpected crashes and apply any future vendor patches as soon as they are released

Generated by OpenCVE AI on May 16, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Sticky Notes Widget 3.0.6 contains a denial of service vulnerability that allows attackers to crash the application by pasting excessively long character strings into note fields. Attackers can generate a payload containing 350000 repeated characters and paste it twice into a new note to trigger an application crash on iOS devices.
Title Sticky Notes Widget 3.0.6 Denial of Service via Buffer Overflow
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:26:13.702Z

Reserved: 2026-05-16T14:32:06.209Z

Link: CVE-2021-47973

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:22.713

Modified: 2026-05-16T16:16:22.713

Link: CVE-2021-47973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses