CVE-2022-3775

When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/security/cve/cve-2022-3775	Third Party Advisory
https://security.gentoo.org/glsa/202311-14

Configurations

Configuration 1 (hide)

cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

History

25 Nov 2023, 12:15

Type	Values Removed	Values Added
References		() https://security.gentoo.org/glsa/202311-14 -

28 Dec 2022, 20:30

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.1
CPE		cpe:2.3:a:gnu:grub2:::::::: cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
First Time		Gnu grub2 Redhat Redhat enterprise Linux Gnu
References	~~(MISC) https://access.redhat.com/security/cve/cve-2022-3775 -~~	(MISC) https://access.redhat.com/security/cve/cve-2022-3775 - Third Party Advisory

19 Dec 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-12-19 20:15

Updated : 2023-12-10 14:48

NVD link : CVE-2022-3775

Mitre link : CVE-2022-3775

CVE.ORG link : CVE-2022-3775

JSON object : View

Products Affected

redhat

enterprise_linux

gnu

grub2

CWE

CWE-787

Out-of-bounds Write

{"id": "CVE-2022-3775", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2022-12-19T20:15:11.427", "references": [{"url": "https://access.redhat.com/security/cve/cve-2022-3775", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://security.gentoo.org/glsa/202311-14", "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded."}, {"lang": "es", "value": "Al representar ciertas secuencias Unicode, el c\u00f3digo de fuente de grub2 no se valida correctamente si el ancho y alto del glifo informado est\u00e1n restringidos dentro del tama\u00f1o del mapa de bits. Como consecuencia, un atacante puede crear una entrada que provocar\u00e1 una escritura fuera de los l\u00edmites en el mont\u00f3n de grub2, lo que provocar\u00e1 da\u00f1os en la memoria y problemas de disponibilidad. Aunque es compleja, no se puede descartar la ejecuci\u00f3n de c\u00f3digo arbitrario."}], "lastModified": "2023-11-25T12:15:07.270", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E48B3B4-3F7F-4169-ABC8-448AA351276E", "versionEndIncluding": "2.06"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}