#VU32934 Integer overflow in grub


Published: 2020-07-30

Vulnerability identifier: #VU32934

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-14309

CWE-ID: CWE-190

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
grub
Universal components / Libraries / Libraries used by multiple products

Vendor: GNU

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow when handling symlinks on ext filesustem in grub_squash_read_symlink() function. A local user can create a specially crafted symlink, trigger an integer overflow and crash the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

grub: 2.00 - 2.05


CPE

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1852022


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability