An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash.

Metrics

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

References
Link Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-45779 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-45779 cve-icon
History

Wed, 19 Feb 2025 14:00:00 +0000

Type Values Removed Values Added
Description An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash.
Title grub2: fs/bfs: Integer overflow leads to Heap OOB Read in the BFS parser
Weaknesses CWE-125
CWE-190
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2025-02-18T18:00:00Z

Links: CVE-2024-45779 - Bugzilla