CVE-2022-36765Integer Overflow to Buffer Overflow in Edk2

CWE-680Integer Overflow to Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents7 sources
Severity
7.8HIGHNVD
CNA7.0
EPSS
0.0%
top 88.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Tianocore Edk2
Timeline
PublishedJan 9
Latest updateFeb 15

Description

EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local network. Successful exploitation of this vulnerability may result in a compromise of confidentiality, integrity, and/or availability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

Debiantianocore/edk2< 2020.11-2+deb11u3+3
Ubuntutianocore/edk2< 0~20191122.bd85bf54-2ubuntu3.5+1
CVEListV5tianocore/edk2*202311
NVDtianocore/edk2202311

🔴Vulnerability Details

3
OSV
edk2 vulnerabilities2024-02-15
OSV
CVE-2022-36765: EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a user to trigger a integer overflow to buffer overflow via a local netwo2024-01-09
CVEList
Integer Overflow in CreateHob2024-01-09

📋Vendor Advisories

4
Ubuntu
EDK II vulnerabilities2024-02-15
Red Hat
EDK2: integer overflow in CreateHob() could lead to HOB OOB R/W2024-01-09
Microsoft
Integer Overflow in CreateHob2024-01-09
Debian
CVE-2022-36765: edk2 - EDK2 is susceptible to a vulnerability in the CreateHob() function, allowing a u...2022
CVE-2022-36765 — Integer Overflow to Buffer Overflow | cvebase