CVE-2023-45229 — Out-of-bounds Read in Edk2

CWE-125 — Out-of-bounds Read CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator CWE-835 — Infinite Loop6 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 67.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Tianocore Edk2

Timeline

PublishedJan 16

Description

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Debiantianocore/edk2< 2020.11-2+deb11u3+3

▶NVDtianocore/edk2202311

▶CVEListV5tianocore/edk2edk2-stable202308

🔴Vulnerability Details

CVEList

Out-of-Bounds Read in EDK II Network Package↗2024-01-16

▶

OSV

CVE-2023-45229: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message↗2024-01-16

▶

📋Vendor Advisories

Red Hat

edk2: Integer underflow when processing IA_NA/IA_TA options in a DHCPv6 Advertise message↗2024-01-16

▶

Microsoft

Out-of-Bounds Read in EDK II Network Package↗2024-01-09

▶

Debian

CVE-2023-45229: edk2 - EDK2's Network Package is susceptible to an out-of-bounds read vulnerability wh...↗2023

▶