CVE-2020-14311

CWE-122 — Heap-based Buffer Overflow CWE-190 — Integer Overflow10 documents9 sources

Severity

6.0MEDIUM

EPSS

0.0%

top 91.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2 THE Grub2 Project Grub2 Canonical Ubuntu Linux +5 more

Timeline

PublishedJul 31

Latest updateMay 24

Description

There is an issue with grub2 before version 2.06 while handling symlink on ext filesystems. A filesystem containing a symbolic link with an inode size of UINT32_MAX causes an arithmetic overflow leading to a zero-sized memory allocation with subsequent heap-based buffer overflow.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:HExploitability: 0.5 | Impact: 5.2

Affected Packages4 packages

▶NVDgnu/grub2< 2.06

▶Debiangrub2< 2.04-9+3

▶CVEListV5the_grub2_project/grub22.06

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 20.04, Enterprise Linux 7.0, 8.0, 8.1, 8.2

🔴Vulnerability Details

GHSA

GHSA-2jpf-4r7j-42qr: There is an issue with grub2 before version 2↗2022-05-24

▶

CVEList

CVE-2020-14311: There is an issue with grub2 before version 2↗2020-07-31

▶

OSV

CVE-2020-14311: There is an issue with grub2 before version 2↗2020-07-31

▶

📋Vendor Advisories

Red Hat

grub2: Integer overflow in grub_ext2_read_link leads to heap-based buffer overflow↗2020-07-29

▶

Ubuntu

GRUB 2 vulnerabilities↗2020-07-29

▶

Microsoft

▶

Debian

CVE-2020-14311: grub2 - There is an issue with grub2 before version 2.06 while handling symlink on ext f...↗2020

▶

💬Community

Bugzilla

CVE-2020-14311 grub2: Integer overflow in grub_ext2_read_link leads to heap-based buffer overflow [fedora-all]↗2020-08-03

▶

Bugzilla

CVE-2020-14311 grub2: Integer overflow in grub_ext2_read_link leads to heap-based buffer overflow↗2020-06-29

▶