Memory Corruption Vulnerability in GRUB2 Affects Red Hat and Fedora
CVE-2021-20233

8.2HIGH

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
3 March 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

A memory corruption flaw in GRUB2 versions prior to 2.06 allows an attacker to manipulate the memory by incorrectly calculating the length of quoted inputs in the menu rendering code. As the system incorrectly assumes that a quoted single quote requires three characters instead of four, this results in a potential one-byte memory corruption for each quote used. This vulnerability can threaten data confidentiality, integrity, and system availability, revealing significant risks for users relying on affected systems.

Affected Version(s)

grub2 grub 2.06

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

BootHoleFix
Created by pauljrowland

References

https://bugzilla.redhat.com/show_bug.cgi?id=1926263
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://security.gentoo.org/glsa/202104-05
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.