CVE-2024-1048

LOW

grub2-set-bootflag - DoS

Title source: llm

Description

A flaw was found in the grub2-set-bootflag utility of grub2. After the fix of CVE-2019-14865, grub2-set-bootflag will create a temporary file with the new grubenv content and rename it to the original grubenv file. If the program is killed before the rename operation, the temporary file will not be removed and may fill the filesystem when invoked multiple times, resulting in a filesystem out of free inodes or blocks.

References (9)

[Mailing List, Third Party Advisory] https://www.openwall.com/lists/oss-security/2024/02/06/3

[Mailing List] http://www.openwall.com/lists/oss-security/2024/02/06/3

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20240223-0007/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/XRZQCVZ3XOASVFT6XLO7F2ZXOLOHIJZQ/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/YSJAEGRR3XHMBBBKYOVMII4P34IXEYPE/

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:2456

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2024:3184

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2024-1048

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=2256827

Scores

CVSS v3 3.3

EPSS 0.0001

EPSS Percentile 1.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-459

Status published

Products (4)

fedoraproject/fedora 40

gnu/grub2

redhat/enterprise_linux 8.0

redhat/enterprise_linux 9.0

Published Feb 06, 2024

Tracked Since Feb 18, 2026