#VU97766 Integer overflow in edk2 - CVE-2024-38796
Published: September 30, 2024 / Updated: November 27, 2025
Vulnerability identifier: #VU97766
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-38796
CWE-ID: CWE-190
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vulnerable software:
edk2
edk2
Software vendor:
TianoCore
TianoCore
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in PeCoffLoaderRelocateImage. A remote user on the local network can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.