CVE-2024-56738

CWE-208 CWE-2037 documents7 sources

Severity

5.3MEDIUM

EPSS

0.0%

top 92.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Timeline

PublishedDec 29

Description

GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

▶CVEListV5gnu/grub22.00 — 2.12

▶NVDgnu/grub22.12

GHSA

GHSA-9gmj-v2m8-qffv: GNU GRUB (aka GRUB2) through 2↗2024-12-29

▶

OSV

CVE-2024-56738: GNU GRUB (aka GRUB2) through 2↗2024-12-29

▶

CVEList

CVE-2024-56738: GNU GRUB (aka GRUB2) through 2↗2024-12-29

▶

Red Hat

grub2: Observable Timing Discrepancy resulting side-channel attacks↗2024-12-29

▶

Microsoft

GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.↗2024-12-10

▶

Debian

CVE-2024-56738: grub2 - GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for gru...↗2024

▶