Heap Out-of-Bounds Write Vulnerability in GRUB2 by Red Hat
CVE-2021-3696

4.5MEDIUM

Key Information:

Vendor: Gnu
Status: Grub2
Vendor: CVE Published:; 6 July 2022

What is CVE-2021-3696?

This vulnerability involves a heap out-of-bounds write that can occur during the processing of Huffman tables in the PNG reader of GRUB2. When exploited, it may lead to data corruption in the heap space. Although the impact on confidentiality, integrity, and availability is typically considered low due to the complexity involved in controlling the encoding and arrangement of corrupted Huffman entries for achieving outcomes like arbitrary code execution, this still poses a security risk for users of affected GRUB2 versions.

Affected Version(s)

grub2 grub-2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1991686

x_refsource_MISC

https://security.gentoo.org/glsa/202209-12

vendor-advisoryx_refsource_GENTOO

https://security.netapp.com/advisory/ntap-20220930-0001/

x_refsource_CONFIRM

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 6, 2022
Vulnerability Reserved
Aug 10, 2021

Gnu

What is CVE-2021-3696?

Affected Version(s)

References

CVSS V3.1

Timeline