CVE-2024-2312

Description

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

Debian / Debian based GNU GRUB0 – 2.12-1ubuntu5

References

MISChttps://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127
CONFIRMhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312
MISChttps://security.netapp.com/advisory/ntap-20240426-0003/