GRUB2 Exit Issue Leads to Use-After-Free Condition and Potential Secure Boot Bypass

CVE-2024-2312

6.7MEDIUM

Key Information

Vendor: Debian
Status: Debian Based Gnu Grub
Vendor: CVE Published:; 5 April 2024

Summary

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

Affected Version(s)

Debian based GNU GRUB < 2.12-1ubuntu5

References

https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/...

issue-tracking

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312

issue-tracking

https://security.netapp.com/advisory/ntap-20240426-0003/

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 5, 2024

Collectors

NVD DatabaseMitre Database

Credit

Mate Kukri