Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Details of issue NIXPKGS-2026-0004

NIXPKGS-2026-0004
published on
Permalink CVE-2024-45781
6.7 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): LOCAL
  • Attack complexity (AC): LOW
  • Privileges required (PR): HIGH
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): HIGH
updated 2 months, 2 weeks ago by @fricklerhandwerk Activity log
  • Created automatic suggestion 2 months, 2 weeks ago
  • @fricklerhandwerk ignored package grub2_pvhgrub_image 2 months, 2 weeks ago
  • @fricklerhandwerk accepted 2 months, 2 weeks ago
  • @fricklerhandwerk published on GitHub 2 months, 2 weeks ago
Grub2: fs/ufs: oob write in the heap

A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections.

References

Affected products

grub2
  • =<2.12
  • *
rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-25.11 -
    • nixpkgs-25.11-darwin
Ignored packages (1)

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-25.11 -
    • nixpkgs-25.11-darwin

Package maintainers