CVE-2024-45780

CWE-787 — Out-of-bounds Write7 documents7 sources

Severity

6.7MEDIUM

EPSS

0.0%

top 93.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2

Timeline

PublishedMar 3

Latest updateMar 11

Description

A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It's possible to cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write. This flaw eventually allows an attacker to circumvent secure boot protections.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

▶Debiangrub2< 2.12-6+1

▶NVDgnu/grub22.12

🔴Vulnerability Details

OSV

CVE-2024-45780: A flaw was found in grub2↗2025-03-03

▶

GHSA

GHSA-xxc4-h4cm-j5r2: A flaw was found in grub2↗2025-03-03

▶

CVEList

Grub2: fs/tar: integer overflow causes heap oob write↗2025-03-03

▶

📋Vendor Advisories

Microsoft

Grub2: fs/tar: integer overflow causes heap oob write↗2025-03-11

▶

Red Hat

grub2: fs/tar: Integer Overflow causes Heap OOB Write↗2025-02-18

▶

Debian

CVE-2024-45780: grub2 - A flaw was found in grub2. When reading tar files, grub2 allocates an internal b...↗2024

▶