Grub2-Set-Bootflag Flaw May Cause Filesystem Issues
CVE-2024-1048

3.3LOW

Key Information:

Vendor: Red Hat
Status: Grub2; Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8
Vendor: CVE Published:; 6 February 2024

Summary

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.

References

http://www.openwall.com/lists/oss-security/2024/02/06/3

https://access.redhat.com/security/cve/CVE-2024-1048

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2256827

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 6, 2024
Vulnerability Reserved
Jan 29, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Solar Designer (CIQ/Rocky Linux) for reporting this issue.