Buffer Overflow in GRUB Affects Secure Boot Mechanism
CVE-2022-2601

8.6HIGH

Key Information:

Vendor: Gnu
Status: Grub2
Vendor: CVE Published:; 14 December 2022

What is CVE-2022-2601?

A buffer overflow vulnerability in the GRUB bootloader was identified, where a maliciously crafted pf2 font could exploit the function grub_font_construct_glyph(). This issue arises during the calculation of max_glyph_size, leading to the allocation of insufficient buffer space. Consequently, this flaw can cause a buffer overflow and result in a heap-based out-of-bounds write. Attackers may leverage this vulnerability to bypass the secure boot process, potentially compromising system integrity.

Affected Version(s)

grub2 grub2 2.06 and lower

References

https://bugzilla.redhat.com/show_bug.cgi?id=2112975#c0

https://security.netapp.com/advisory/ntap-20230203-0004/

https://security.gentoo.org/glsa/202311-14

vendor-advisory

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 14, 2022
Vulnerability Reserved
Aug 1, 2022

Gnu

What is CVE-2022-2601?

Affected Version(s)

References

CVSS V3.1

Timeline