CVE-2022-3775

Published: 19 December 2022

When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded.

Notes

Author	Note
eslerm	grub2-unsigned contains Secure Boot security fixes the grub2 package unlikely affects Ubuntu's Secure Boot grub2 and grub2-unsigned should have same major version Ubuntu Secure Boot and ESM do not cover i386 trusty's GA kernel cannot handle new versions of grub
eslerm	Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)

Author

Note

eslerm

grub2-unsigned contains Secure Boot security fixes
the grub2 package unlikely affects Ubuntu's Secure Boot
grub2 and grub2-unsigned should have same major version
Ubuntu Secure Boot and ESM do not cover i386
trusty's GA kernel cannot handle new versions of grub

eslerm

Note that key revocation is required to protect against evil housekeeper attacks (such as BlackLotus)

Priority

Cvss 3 Severity Score

7.1

Score breakdown

Status

Package	Release	Status
grub2 Launchpad, Ubuntu, Debian	bionic	Not vulnerable (does not affect Secure Boot)
	focal	Not vulnerable (does not affect Secure Boot)
	jammy	Not vulnerable (does not affect Secure Boot)
	kinetic	Not vulnerable (does not affect Secure Boot)
	lunar	Not vulnerable (does not affect Secure Boot)
	mantic	Not vulnerable (does not affect Secure Boot)
	trusty	Not vulnerable (does not affect Secure Boot)
	upstream	Released (2.06-5)
	xenial	Not vulnerable (does not affect Secure Boot)
grub2-signed Launchpad, Ubuntu, Debian	bionic	Released (1.187.3~18.04.1)
	focal	Released (1.187.3~20.04.1)
	jammy	Released (1.187.3~22.04.1)
	kinetic	Ignored (end of life)
	lunar	Not vulnerable (1.192)
	mantic	Not vulnerable (1.193)
	trusty	Needs triage
	upstream	Needs triage
	xenial	Needs triage
grub2-unsigned Launchpad, Ubuntu, Debian	bionic	Released (2.06-2ubuntu14.1)
	focal	Released (2.06-2ubuntu14)
	jammy	Released (2.06-2ubuntu14)
	kinetic	Ignored (end of life)
	lunar	Released (2.06-2ubuntu15)
	mantic	Not vulnerable (2.12~rc1-10ubuntu4)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage

Severity score breakdown

Parameter	Value
Base score	7.1
Attack vector	Local
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

References

Bugs

https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/1996950

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›