Memory Corruption Vulnerability in GRUB2 by Red Hat
CVE-2020-25647

7.6HIGH

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
3 March 2021

Summary

A flaw exists in GRUB2 that arises during USB device initialization due to inadequate bounds checking when reading device descriptors. This oversight assumes that the USB device presents valid values. If an attacker successfully exploits this vulnerability, it may result in memory corruption, enabling arbitrary code execution and a successful bypass of the Secure Boot functionality. The potential impact includes severe threats to data confidentiality, integrity, and overall system availability.

Affected Version(s)

grub2 grub 2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1886936
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202104-05
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.