CVE-2022-2601
CVSS V2 None
CVSS V3 None
Description
A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.
Overview
- CVE ID
- CVE-2022-2601
- Assigner
- secalert@redhat.com
- Vulnerability Status
- Modified
- Published Version
- 2022-12-14T21:15:10
- Last Modified Date
- 2023-02-03T10:15:17
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:* | 1 | OR | 2.06 | |
| cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:* | 1 | OR | ||
| cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:9.0:*:*:*:*:*:*:* | 1 | OR |
References
| Reference URL | Reference Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=2112975#c0 | Issue Tracking Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20230203-0004/ |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-2601 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2601 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-14 22:14:52 | Added to TrackCVE | |||
| 2022-12-18 09:30:10 | 2022-12-14T21:15:10.190 | 2022-12-14T21:15:10 | CVE Published Date | updated |
| 2022-12-18 09:30:11 | 2022-12-16T21:29:14 | CVE Modified Date | updated | |
| 2022-12-18 09:30:11 | Awaiting Analysis | Analyzed | Vulnerability Status | updated |
| 2022-12-18 09:30:25 | CPE Information | updated | ||
| 2023-02-03 11:14:47 | 2023-02-03T10:15:17 | CVE Modified Date | updated | |
| 2023-02-03 11:14:47 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-03 11:14:48 | References | updated |