NIXPKGS-2026-0004

GitHub issue published 4 months ago

Permalink CVE-2024-45781

6.7 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): High (H)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): High (H)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 months ago by @fricklerhandwerk Activity log

Created suggestion 4 months ago
@fricklerhandwerk ignored package grub2_pvhgrub_image 4 months ago
@fricklerhandwerk accepted 4 months ago
@fricklerhandwerk published on GitHub 4 months ago

Grub2: fs/ufs: oob write in the heap

A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections.

References

https://access.redhat.com/security/cve/CVE-2024-45781 vdb-entryx_refsource_REDHAT
RHBZ#2345857 x_refsource_REDHATissue-tracking
RHSA-2025:6990 x_refsource_REDHATvendor-advisory
RHSA-2025:16154 x_refsource_REDHATvendor-advisory

Affected products

grub2

*
=<2.12

rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

Ignored packages (1)

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

Package maintainers

@hehongbo Hongbo
@digitalrane Rane <rane+git@junkyard.systems>
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@SigmaSquadron Fernando Rodrigues <alpha@sigmasquadron.net>