Your submission was sent successfully! Close

CVE-2020-14308

Published: 29 July 2020

In grub2 versions before 2.06 the grub memory allocator doesn't check for possible arithmetic overflows on the requested allocation size. This leads the function to return invalid memory allocations which can be further used to cause possible integrity, confidentiality and availability impacts during the boot process.

From the Ubuntu security team

It was discovered that the memory allocator for GRUB2 did not validate allocation size, resulting in multiple integer overflows and heap-based buffer overflows when handling certain filesystems, PNG images or disk metadata. A local attacker could use this to execute arbitrary code and bypass UEFI Secure Boot restrictions.

Priority

High

CVSS 3 base score: 6.4

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
bionic
Released (2.02-2ubuntu8.16)
focal
Released (2.04-1ubuntu26.1)
groovy Not vulnerable
(2.04-1ubuntu26.1)
hirsute Not vulnerable
(2.04-1ubuntu26.1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (2.02~beta2-9ubuntu1.20)
upstream Needs triage

xenial
Released (2.02~beta2-36ubuntu3.26)
grub2-signed
Launchpad, Ubuntu, Debian
bionic
Released (1.93.18)
eoan Ignored
(reached end-of-life)
focal
Released (1.142.3)
groovy Not vulnerable
(1.147)
hirsute Not vulnerable
(1.147)
precise Does not exist

trusty
Released (1.34.22)
upstream Needs triage

xenial
Released (1.66.26)