CVE-2017-9763 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Radare2

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-400 — Uncontrolled Resource Consumption6 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2 Debian Grub2 Debian Radare2 +1 more

Timeline

PublishedJun 19

Latest updateMay 17

Description

The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/grub2< grub2 2.02~beta2-8 (bookworm)

▶Debiangnu/grub2< 2.02~beta2-8+3

▶debiandebian/radare2< grub2 2.02~beta2-8 (bookworm)

▶NVDradare/radare21.5.0

Patches

Patch: git.savannah.gnu.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-vvvg-pm5p-r68f: The grub_ext2_read_block function in fs/ext2↗2022-05-17

▶

OSV

CVE-2017-9763: The grub_ext2_read_block function in fs/ext2↗2017-06-19

▶

📋Vendor Advisories

Red Hat

grub2: Stack exhaustion in grub_ext2_read_block↗2017-06-11

▶

Debian

CVE-2017-9763: grub2 - The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as...↗2017

▶

💬Community

Bugzilla

CVE-2017-9763 grub2: Stack exhaustion in grub_ext2_read_block↗2017-06-20

▶