Integer underflow in grub_net_recv_ip4_packets
CVE-2022-28733

8.1HIGH

Key Information:

Vendor: Gnu Project
Status: Gnu Grub
Vendor: CVE Published:; 20 July 2023

Summary

An integer underflow vulnerability exists in GRUB's grub_net_recv_ip4_packets function, which can be exploited through maliciously crafted IP packets. When such a packet is received, the function may mistakenly interpret the total length value, causing it to wrap around to a smaller integer. This miscalculation can result in incorrect memory allocation, allowing attackers to write data beyond the allocated buffer, potentially leading to various security implications such as data corruption or unauthorized access.

Affected Version(s)

GNU GRUB Linux 0 < 2.06-3

References

https://www.openwall.com/lists/oss-security/2022/06/07/5

mailing-list

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2...

issue-tracking

https://security.netapp.com/advisory/ntap-20230825-0002/

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 20, 2023
Vulnerability Reserved
Apr 5, 2022

Credit

Daniel Axtens