NIXPKGS-2026-0004

GitHub issue published on 30 Jan 2026

Permalink CVE-2024-45781

updated 4 days, 5 hours ago by @fricklerhandwerk Activity log

Created automatic suggestion 4 days, 23 hours ago
@fricklerhandwerk removed package grub2_pvhgrub_image 4 days, 14 hours ago
@fricklerhandwerk accepted 4 days, 5 hours ago
@fricklerhandwerk published on GitHub 4 days, 5 hours ago

Grub2: fs/ufs: oob write in the heap

A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections.

Affected products

grub2

=<2.12
*

rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

Package maintainers

@hehongbo Hongbo
@digitalrane Rane <rane+git@junkyard.systems>
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@SigmaSquadron Fernando Rodrigues <alpha@sigmasquadron.net>

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0004

Affected products

Matching in nixpkgs

pkgs.grub2_pvgrub_image

Package maintainers