CVE-2022-3775

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-3775
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-3775.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-3775
Related
Published
2022-12-19T20:15:11Z
Modified
2024-09-11T04:54:20.412100Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

References

Affected packages

Debian:11 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-3~deb11u4

Affected versions

2.*

2.04-20
2.06-1
2.06-2
2.06-2+hurd.1
2.06-2+hurd.2
2.06-2+hurd.3
2.06-2+hurd.4
2.06-2+hurd.5
2.06-2+hurd.6
2.06-2+hurd.7
2.06-2+hurd.8
2.06-3~deb10u1
2.06-3~deb10u2
2.06-3~deb10u3
2.06-3~deb10u4
2.06-3~deb11u1
2.06-3~deb11u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.06-5

Ecosystem specific

{
    "urgency": "not yet assigned"
}