Vulnerability Description
GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Grub2 | < 2.12-1ubuntu5 |
| Netapp | Bootstrap Os | - |
| Netapp | Hci Compute Node | - |
Related Weaknesses (CWE)
References
- https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127ExploitIssue TrackingPatch
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312Third Party Advisory
- https://security.netapp.com/advisory/ntap-20240426-0003/Third Party Advisory
- https://bugs.launchpad.net/ubuntu/+source/grub2-unsigned/+bug/2054127ExploitIssue TrackingPatch
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2312Third Party Advisory
- https://security.netapp.com/advisory/ntap-20240426-0003/Third Party Advisory
FAQ
What is CVE-2024-2312?
CVE-2024-2312 is a vulnerability with a CVSS score of 6.7 (MEDIUM). GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntu's peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could po...
How severe is CVE-2024-2312?
CVE-2024-2312 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-2312?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Grub2, Netapp Bootstrap Os, Netapp Hci Compute Node.