CVE-2021-28211 — Heap-based Buffer Overflow in EDK II

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write CWE-120 — Classic Buffer Overflow11 documents9 sources

Severity

6.7MEDIUMNVD

OSV7.8

EPSS

0.1%

top 81.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tianocore Edk2 Tianocore EDK II

Timeline

PublishedJun 11

Latest updateOct 10

Description

A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages4 packages

▶Debiantianocore/edk2< 2020.11-1+3

▶Ubuntutianocore/edk2< 0~20191122.bd85bf54-2ubuntu3.2

▶NVDtianocore/edk2202008

▶CVEListV5tianocore/edk_iiedk2-stable202008

Patches

Patch: bugzilla.tianocore.org ↗Patch: bugzilla.tianocore.org ↗

🔴Vulnerability Details

GHSA

GHSA-9f7r-6p3j-j5wj: A heap overflow in LzmaUefiDecompressGetInfo function in EDK II↗2022-05-24

▶

OSV

CVE-2021-28211: A heap overflow in LzmaUefiDecompressGetInfo function in EDK II↗2021-06-11

▶

CVEList

CVE-2021-28211: A heap overflow in LzmaUefiDecompressGetInfo function in EDK II↗2021-06-11

▶

OSV

edk2 vulnerabilities↗2021-04-20

▶

📋Vendor Advisories

Ubuntu

EDK II vulnerabilities↗2024-10-10

▶

Microsoft

A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.↗2021-06-08

▶

Ubuntu

EDK II vulnerabilities↗2021-04-20

▶

Debian

CVE-2021-28211: edk2 - A heap overflow in LzmaUefiDecompressGetInfo function in EDK II.↗2021

▶

Red Hat

edk2: possible heap corruption with LzmaUefiDecompressGetInfo↗2020-11-19

▶

💬Community

Bugzilla

CVE-2021-28211 edk2: possible heap corruption with LzmaUefiDecompressGetInfo↗2020-09-29

▶