CVE-2023-45232

HIGH

Tianocore Edk2 < 202311 - Infinite Loop

Title source: rule

Description

EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.

References (7)

[Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/176574/PixieFail-Proof-Of-Concepts.html

[Mailing List] http://www.openwall.com/lists/oss-security/2024/01/16/2

[Mailing List] https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/SJ42V7O7F4OU6R7QSQQECLB6LDHKZIMQ/

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/132380

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240307-0011/

[Vendor Advisory] https://github.com/tianocore/edk2/security/advisories/GHSA-hc6x-cw6p-gj7h

Scores

CVSS v3 7.5

EPSS 0.0048

EPSS Percentile 65.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-835

Status published

Products (1)

tianocore/edk2 < 202311

Published Jan 16, 2024

Tracked Since Feb 18, 2026