Heap Underflow Vulnerability in GRUB2 by Red Hat
CVE-2021-3697

7HIGH

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
6 July 2022

Summary

A carefully crafted JPEG image can cause the JPEG reader in GRUB2 to underflow its data pointer, enabling an attacker to manipulate user-controlled data in the heap. Successful exploitation requires the attacker to meticulously analyze the heap layout and create a maliciously formatted image. This vulnerability could lead to data corruption and an opportunity for code execution or even bypassing secure boot mechanisms, particularly affecting versions of GRUB2 prior to 2.12.

Affected Version(s)

grub2 grub-2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1991687
x_refsource_MISC
https://security.gentoo.org/glsa/202209-12
vendor-advisoryx_refsource_GENTOO
https://security.netapp.com/advisory/ntap-20220930-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.