CVE-2022-2601

moderate-risk

Published 2022-12-14

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

Do I need to act?

0.06% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.6/10 High

LOCAL / LOW complexity

Affected Products (12)

Grub2

Fedora

Enterprise Linux Eus

Enterprise Linux For Power Little Endian Eus

Enterprise Linux Server Aus

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

Enterprise Linux Server Tus

Enterprise Linux Server Update Services For Sap Solutions

Affected Vendors

Redhat Gnu Fedoraproject

References (7)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2112975#c0

https://security.gentoo.org/glsa/202311-14

https://security.netapp.com/advisory/ntap-20230203-0004/

https://arstechnica.com/security/2024/08/a-patch-microsoft-spent-2-years-prepari...

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2112975#c0

https://security.gentoo.org/glsa/202311-14

https://security.netapp.com/advisory/ntap-20230203-0004/

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 0/34 · Minimal

Exposure 17/34 · Moderate