Vulnerability Details CVE-2024-2312
GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 7.2%
CVSS Severity
CVSS v3 Score 6.7
References
- https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312
- https://security.netapp.com/advisory/ntap-20240426-0003/
- https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312
- https://security.netapp.com/advisory/ntap-20240426-0003/
Products affected by CVE-2024-2312
-
cpe:2.3:a:gnu:grub2:-
-
cpe:2.3:a:gnu:grub2:1.98
-
cpe:2.3:a:gnu:grub2:1.99
-
cpe:2.3:a:gnu:grub2:2.00
-
cpe:2.3:a:gnu:grub2:2.01
-
cpe:2.3:a:gnu:grub2:2.02
-
cpe:2.3:a:gnu:grub2:2.04
-
cpe:2.3:a:gnu:grub2:2.06
-
cpe:2.3:a:gnu:grub2:2.06-150400.7.1
-
cpe:2.3:a:gnu:grub2:2.06-18.1
-
cpe:2.3:a:gnu:grub2:2.12
-
cpe:2.3:h:netapp:hci_compute_node:-
-
cpe:2.3:o:netapp:bootstrap_os:-