7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.6%
A flaw was found in grub2 in versions prior to 2.06. During USB device
initialization, descriptors are read with very little bounds checking and
assumes the USB device is providing sane values. If properly exploited, an
attacker could trigger memory corruption leading to arbitrary code
execution allowing a bypass of the Secure Boot mechanism. The highest
threat from this vulnerability is to data confidentiality and integrity as
well as system availability.
Author | Note |
---|---|
sbeattie | Ubuntu packaging does not include the usb module in the signed EFI grub artifacts, so is not affected. grub2-unsigned will contain fixes and supersede grub2, which will contain only BIOS grub bits. |
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
7.6 High
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
58.6%