CVE-2022-36764: EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful…

high7.8CVSS 3.1

AVLACLPRLUINSUCHIHAH

EDK2 is susceptible to a vulnerability in the Tcg2MeasurePeImage() function, allowing a user to trigger a heap buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.

Affected

19 ranges

Vendor	Product	Version range	Fixed in
debian	edk2	< edk2 2022.11-6+deb12u1 (bookworm)	edk2 2022.11-6+deb12u1 (bookworm)
msrc	azl3_edk2_20230301gitf80f052277c8-37_on_azure_linux_3.0	—	—
msrc	azl3_edk2_20240223gitedc6681206c1-1_on_azure_linux_3.0	—	—
msrc	azl3_qemu_8.2.0-16_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_edk2_20230301gitf80f052277c8-41_on_cbl_mariner_2.0	—	—
msrc	cbl2_hvloader_1.0.1-11_on_cbl_mariner_2.0	—	—
msrc	cbl2_qemu_6.2.0-24_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
tianocore	edk2	<= 202311	—
tianocore	edk2	* – 202311	—
tianocore	edk2	>= 0 < 2020.11-2+deb11u3	2020.11-2+deb11u3
tianocore	edk2	>= 0 < 2022.11-6+deb12u1	2022.11-6+deb12u1
tianocore	edk2	>= 0 < 2023.11-5	2023.11-5
tianocore	edk2	>= 0 < 2023.11-5	2023.11-5
tianocore	edk2	>= 0 < 0~20191122.bd85bf54-2ubuntu3.5	0~20191122.bd85bf54-2ubuntu3.5
tianocore	edk2	>= 0 < 2022.02-3ubuntu0.22.04.2	2022.02-3ubuntu0.22.04.2

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

osv7.8HIGH