CVE-2022-28733

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-28733
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-28733.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-28733
Related
Published
2023-07-20T01:15:10Z
Modified
2024-09-11T04:42:34.635833Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Integer underflow in grubnetrecvip4packets; A malicious crafted IP packet can lead to an integer underflow in grubnetrecvip4packets() function on rsm->totallen value. Under certain circumstances the totallen value may end up wrapping around to a small integer number which will be used in memory allocation. If the attack succeeds in such way, subsequent operations can write past the end of the buffer.

References

Affected packages

Debian:11 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-3~deb11u1

Affected versions

2.*

2.04-20
2.06-1
2.06-2
2.06-2+hurd.1
2.06-2+hurd.2
2.06-2+hurd.3
2.06-2+hurd.4
2.06-2+hurd.5
2.06-2+hurd.6
2.06-2+hurd.7
2.06-2+hurd.8
2.06-3~deb10u1
2.06-3~deb10u2
2.06-3~deb10u3
2.06-3~deb10u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}