CVE-2020-14308

CWE-190Integer OverflowCWE-122Heap-based Buffer Overflow10 documents9 sources
Severity
6.4MEDIUM
EPSS
0.0%
top 90.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GNU Grub2Opensuse Leap
Timeline
PublishedJul 29
Latest updateMay 24

Description

In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages4 packages

NVDgnu/grub2< 2.06
Debiangrub2< 2.04-9+3
CVEListV5grubAll grub2 versions before 2.06
NVDopensuse/leap15.1, 15.2+1

🔴Vulnerability Details

3
GHSA
GHSA-6f8f-rchr-mhp3: In grub2 versions before 22022-05-24
OSV
CVE-2020-14308: In grub2 versions before 22020-07-29
CVEList
CVE-2020-14308: In grub2 versions before 22020-07-29

📋Vendor Advisories

4
Red Hat
grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow2020-07-29
Ubuntu
GRUB 2 vulnerabilities2020-07-29
Microsoft
In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations w2020-07-14
Debian
CVE-2020-14308: grub2 - In grub2 versions before 2.06 the grub memory allocator doesn't check for possib...2020

💬Community

2
Bugzilla
CVE-2020-14308 grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow [fedora-all]2020-08-03
Bugzilla
CVE-2020-14308 grub2: grub_malloc does not validate allocation size allowing for arithmetic overflow and subsequent heap-based buffer overflow2020-06-29
CVE-2020-14308 (MEDIUM CVSS 6.4) | In grub2 versions before 2.06 the g | cvebase.io