Heap Out-of-Bounds Write Vulnerability in GRUB2 by Red Hat
CVE-2021-3696

4.5MEDIUM

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
6 July 2022

Summary

This vulnerability involves a heap out-of-bounds write that can occur during the processing of Huffman tables in the PNG reader of GRUB2. When exploited, it may lead to data corruption in the heap space. Although the impact on confidentiality, integrity, and availability is typically considered low due to the complexity involved in controlling the encoding and arrangement of corrupted Huffman entries for achieving outcomes like arbitrary code execution, this still poses a security risk for users of affected GRUB2 versions.

Affected Version(s)

grub2 grub-2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1991686
x_refsource_MISC
https://security.gentoo.org/glsa/202209-12
vendor-advisoryx_refsource_GENTOO
https://security.netapp.com/advisory/ntap-20220930-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
4.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.