Search for packages
| purl | pkg:deb/debian/grub2@2.06-3~deb11u2 |
| Next non-vulnerable version | 2.12-1~bpo12+1 |
| Latest non-vulnerable version | 2.12-1~bpo12+1 |
| Risk | 3.9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3c59-utt9-aaag
Aliases: CVE-2023-4693 |
An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. |
Affected by 23 other vulnerabilities. |
|
VCID-5dza-1mxg-aaaf
Aliases: CVE-2022-2601 |
A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism. |
Affected by 23 other vulnerabilities. |
|
VCID-pun4-pr3v-aaaf
Aliases: CVE-2023-4692 |
An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. |
Affected by 23 other vulnerabilities. |
|
VCID-ymcd-vs51-aaaa
Aliases: CVE-2022-3775 |
When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded. |
Affected by 23 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1xuh-cv6r-aaac | CVE-2021-3697 grub2: Crafted JPEG image can lead to buffer underflow write in the heap |
CVE-2021-3697
|
| VCID-3c59-utt9-aaag | An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. |
CVE-2023-4693
|
| VCID-4e5m-j6sx-aaae | CVE-2022-28734 grub2: Out-of-bound write when handling split HTTP headers |
CVE-2022-28734
|
| VCID-5dza-1mxg-aaaf | A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism. |
CVE-2022-2601
|
| VCID-6gkq-swtq-aaae | CVE-2022-28733 grub2: Integer underflow in grub_net_recv_ip4_packets |
CVE-2022-28733
|
| VCID-6yf6-65rp-aaaf | CVE-2022-28736 grub2: use-after-free in grub_cmd_chainloader() |
CVE-2022-28736
|
| VCID-7h19-ynra-aaaq | CVE-2021-3695 grub2: Crafted PNG grayscale images may lead to out-of-bounds write in heap |
CVE-2021-3695
|
| VCID-8kr2-yz1x-aaas | CVE-2021-3696 grub2: Crafted PNG image may lead to out-of-bound write during huffman table handling |
CVE-2021-3696
|
| VCID-pun4-pr3v-aaaf | An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. |
CVE-2023-4692
|
| VCID-ubvn-99dq-aaam | A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released. |
CVE-2021-3981
|
| VCID-ymcd-vs51-aaaa | When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded. |
CVE-2022-3775
|
| VCID-zwqy-g4m8-aaaj | CVE-2022-28735 grub2: shim_lock verifier allows non-kernel files to be loaded |
CVE-2022-28735
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-21T18:45:40.093502+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.3 |
| 2025-06-21T18:15:36.966235+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.3 |
| 2025-06-21T18:03:09.525702+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 36.1.3 |
| 2025-06-21T17:18:16.774551+00:00 | Debian Oval Importer | Fixing | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T16:32:13.703496+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T14:50:35.289525+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T14:02:20.083330+00:00 | Debian Oval Importer | Fixing | VCID-pun4-pr3v-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.3 |
| 2025-06-21T06:45:15.860553+00:00 | Debian Oval Importer | Affected by | VCID-5dza-1mxg-aaaf | None | 36.1.3 |
| 2025-06-21T06:44:24.677244+00:00 | Debian Oval Importer | Affected by | VCID-ymcd-vs51-aaaa | None | 36.1.3 |
| 2025-06-21T06:43:41.190274+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.1.3 |
| 2025-06-21T06:42:44.705602+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.1.3 |
| 2025-06-21T06:09:05.732235+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 36.1.3 |
| 2025-06-21T06:05:58.477657+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | None | 36.1.3 |
| 2025-06-21T05:17:04.605264+00:00 | Debian Oval Importer | Fixing | VCID-6yf6-65rp-aaaf | None | 36.1.3 |
| 2025-06-21T04:26:45.975338+00:00 | Debian Oval Importer | Fixing | VCID-1xuh-cv6r-aaac | None | 36.1.3 |
| 2025-06-21T04:17:09.997971+00:00 | Debian Oval Importer | Fixing | VCID-7h19-ynra-aaaq | None | 36.1.3 |
| 2025-06-21T03:26:29.948696+00:00 | Debian Oval Importer | Fixing | VCID-zwqy-g4m8-aaaj | None | 36.1.3 |
| 2025-06-21T03:13:36.122407+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | None | 36.1.3 |
| 2025-06-21T01:42:11.621964+00:00 | Debian Oval Importer | Fixing | VCID-4e5m-j6sx-aaae | None | 36.1.3 |
| 2025-06-20T23:49:37.261786+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T23:25:46.540566+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 36.1.3 |
| 2025-06-08T12:49:41.445103+00:00 | Debian Oval Importer | Affected by | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T12:33:56.777125+00:00 | Debian Oval Importer | Affected by | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T12:05:19.036581+00:00 | Debian Oval Importer | Fixing | VCID-1xuh-cv6r-aaac | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T11:57:44.939372+00:00 | Debian Oval Importer | Affected by | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T11:15:38.231195+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T10:46:47.724221+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T09:59:24.530117+00:00 | Debian Oval Importer | Fixing | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T09:18:01.265095+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T07:43:59.085159+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T06:56:22.451444+00:00 | Debian Oval Importer | Fixing | VCID-pun4-pr3v-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.1.0 |
| 2025-06-08T00:24:45.722178+00:00 | Debian Oval Importer | Affected by | VCID-5dza-1mxg-aaaf | None | 36.1.0 |
| 2025-06-08T00:23:54.672600+00:00 | Debian Oval Importer | Affected by | VCID-ymcd-vs51-aaaa | None | 36.1.0 |
| 2025-06-08T00:23:10.560530+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.1.0 |
| 2025-06-08T00:22:13.420782+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.1.0 |
| 2025-06-07T23:44:46.790333+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | None | 36.1.0 |
| 2025-06-07T22:54:39.253266+00:00 | Debian Oval Importer | Fixing | VCID-6yf6-65rp-aaaf | None | 36.1.0 |
| 2025-06-07T22:02:59.143981+00:00 | Debian Oval Importer | Fixing | VCID-1xuh-cv6r-aaac | None | 36.1.0 |
| 2025-06-07T21:53:02.595831+00:00 | Debian Oval Importer | Fixing | VCID-7h19-ynra-aaaq | None | 36.1.0 |
| 2025-06-07T20:59:50.083107+00:00 | Debian Oval Importer | Fixing | VCID-zwqy-g4m8-aaaj | None | 36.1.0 |
| 2025-06-07T20:46:30.054742+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | None | 36.1.0 |
| 2025-06-07T19:05:20.154999+00:00 | Debian Oval Importer | Fixing | VCID-4e5m-j6sx-aaae | None | 36.1.0 |
| 2025-04-12T21:29:27.222996+00:00 | Debian Oval Importer | Fixing | VCID-7h19-ynra-aaaq | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T20:22:38.146153+00:00 | Debian Oval Importer | Fixing | VCID-6yf6-65rp-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T20:12:12.691470+00:00 | Debian Oval Importer | Fixing | VCID-4e5m-j6sx-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T19:36:09.862825+00:00 | Debian Oval Importer | Fixing | VCID-zwqy-g4m8-aaaj | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T19:21:58.904930+00:00 | Debian Oval Importer | Affected by | VCID-pun4-pr3v-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:36:39.842379+00:00 | Debian Oval Importer | Affected by | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:20:25.262089+00:00 | Debian Oval Importer | Affected by | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T17:50:45.904575+00:00 | Debian Oval Importer | Fixing | VCID-1xuh-cv6r-aaac | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T17:42:57.789728+00:00 | Debian Oval Importer | Affected by | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T16:59:22.728383+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T16:28:52.730070+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-08T08:31:40.569557+00:00 | Debian Oval Importer | Fixing | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T07:50:07.757854+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T06:16:27.376505+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-08T05:28:53.323264+00:00 | Debian Oval Importer | Fixing | VCID-pun4-pr3v-aaaf | https://www.debian.org/security/oval/oval-definitions-buster.xml.bz2 | 36.0.0 |
| 2025-04-07T22:57:04.309791+00:00 | Debian Oval Importer | Affected by | VCID-5dza-1mxg-aaaf | None | 36.0.0 |
| 2025-04-07T22:56:11.510137+00:00 | Debian Oval Importer | Affected by | VCID-ymcd-vs51-aaaa | None | 36.0.0 |
| 2025-04-07T22:55:27.515193+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.0.0 |
| 2025-04-07T22:54:28.773157+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.0.0 |
| 2025-04-07T22:16:53.439341+00:00 | Debian Oval Importer | Fixing | VCID-8kr2-yz1x-aaas | None | 36.0.0 |
| 2025-04-07T21:26:39.737427+00:00 | Debian Oval Importer | Fixing | VCID-6yf6-65rp-aaaf | None | 36.0.0 |
| 2025-04-07T20:34:00.496035+00:00 | Debian Oval Importer | Fixing | VCID-1xuh-cv6r-aaac | None | 36.0.0 |
| 2025-04-07T20:23:26.953672+00:00 | Debian Oval Importer | Fixing | VCID-7h19-ynra-aaaq | None | 36.0.0 |
| 2025-04-07T19:30:16.033075+00:00 | Debian Oval Importer | Fixing | VCID-zwqy-g4m8-aaaj | None | 36.0.0 |
| 2025-04-07T19:17:01.272289+00:00 | Debian Oval Importer | Fixing | VCID-6gkq-swtq-aaae | None | 36.0.0 |
| 2025-04-07T17:43:12.515001+00:00 | Debian Oval Importer | Fixing | VCID-4e5m-j6sx-aaae | None | 36.0.0 |
| 2025-04-05T14:11:50.658299+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 36.0.0 |
| 2025-04-05T03:23:48.178000+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 36.0.0 |
| 2025-04-04T02:31:06.099178+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T02:06:16.571110+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 36.0.0 |
| 2025-02-21T14:28:11.651719+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 35.1.0 |
| 2025-02-21T14:28:03.222391+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 35.1.0 |
| 2025-02-20T05:32:23.033735+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2025-02-20T05:32:20.342501+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 35.1.0 |
| 2024-11-24T03:32:14.886821+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 35.0.0 |
| 2024-11-24T03:32:08.405119+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 35.0.0 |
| 2024-10-11T00:55:25.950112+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 34.0.2 |
| 2024-10-11T00:55:18.966542+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 34.0.2 |
| 2024-09-20T05:32:16.141333+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 34.0.1 |
| 2024-09-20T05:32:09.343182+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 34.0.1 |
| 2024-04-26T05:53:00.046612+00:00 | Debian Importer | Fixing | VCID-3c59-utt9-aaag | None | 34.0.0rc4 |
| 2024-04-26T05:52:50.800054+00:00 | Debian Importer | Fixing | VCID-pun4-pr3v-aaaf | None | 34.0.0rc4 |
| 2024-04-25T04:13:20.108867+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-04-25T04:13:16.934970+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 34.0.0rc4 |
| 2024-01-11T05:41:18.836487+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-11T05:41:03.813524+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 34.0.0rc2 |
| 2024-01-04T16:57:42.205063+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-04T16:57:28.481340+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 34.0.0rc1 |