CVE-2024-45780

MEDIUM

GRUB2 < 2.12 - Heap Out-of-Bounds Write via Crafted Tar File

Title source: llm

Description

A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It's possible to cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write. This flaw eventually allows an attacker to circumvent secure boot protections.

References (3)

Core 3

Core References

Mailing List

https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

Third Party Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-45780

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2345856

Scores

CVSS v3 6.7

EPSS 0.0002

EPSS Percentile 7.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-787

Status published

Products (1)

gnu/grub2 < 2.12

Published Mar 03, 2025

Tracked Since Feb 18, 2026