Out-of-Bounds Write Vulnerability in Grub2 by Red Hat
CVE-2021-3695

4.5MEDIUM

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
6 July 2022

Summary

An out-of-bounds write vulnerability exists in Grub2 due to handling crafted 16-bit grayscale PNG images. This flaw allows attackers to potentially corrupt heap data, leading to severe consequences such as arbitrary code execution and the bypassing of secure boot protections. Exploiting this vulnerability is a complex task, requiring knowledge of the heap layout to manipulate memory effectively. Additionally, the payloads written into memory are repeated multiple times, complicating the exploitation process.

Affected Version(s)

grub2 grub-2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1991685
x_refsource_MISC
https://security.gentoo.org/glsa/202209-12
vendor-advisoryx_refsource_GENTOO
https://security.netapp.com/advisory/ntap-20220930-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.