iPerf3 before 3.17 when used with OpenSSL before 3.2.0 as a server with RSA authentication allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

...

USN-4788-1 iperf3 vulnerability

It was discovered that iperf mishandled certain UTF-8 and UTF-16 strings. A remote attacker could use this vulnerability to cause a denial of service or possibly execute arbitrary code...