CVE-2024-2312

MEDIUM6.7

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit

Published Apr 5, 2024

Modified 11 months ago

Details

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

References

WEBhttps://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127 WEBhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312 WEBhttps://security.netapp.com/advisory/ntap-20240426-0003/ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2024-2312

CVSS Analysis

CVSS v3.1

6.7

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

HighPR:H

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

HighI:H

Availability

HighA:H

6.7/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Ecosystems

Timeline

PublishedApr 5, 2024

ModifiedFeb 13, 2025