Heap Underflow Vulnerability in GRUB2 by Red Hat
CVE-2021-3697

7HIGH

Key Information:

Vendor: Gnu
Status: Grub2
Vendor: CVE Published:; 6 July 2022

What is CVE-2021-3697?

A carefully crafted JPEG image can cause the JPEG reader in GRUB2 to underflow its data pointer, enabling an attacker to manipulate user-controlled data in the heap. Successful exploitation requires the attacker to meticulously analyze the heap layout and create a maliciously formatted image. This vulnerability could lead to data corruption and an opportunity for code execution or even bypassing secure boot mechanisms, particularly affecting versions of GRUB2 prior to 2.12.

Affected Version(s)

grub2 grub-2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1991687

x_refsource_MISC

https://security.gentoo.org/glsa/202209-12

vendor-advisoryx_refsource_GENTOO

https://security.netapp.com/advisory/ntap-20220930-0001/

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 6, 2022
Vulnerability Reserved
Aug 10, 2021

Gnu

What is CVE-2021-3697?

Affected Version(s)

References

CVSS V3.1

Timeline