CVE-2023-39950

Name of the Vulnerable Software and Affected Versions efibootguard versions prior to v0.15

Description The issue exists due to insufficient validation and sanitization of input from untrustworthy bootloader environment files, which can cause crashes and potentially allow code injections into bg setenv or programs using libebgenv. This is triggered when the affected components try to modify a manipulated environment, specifically its user variables. Furthermore, bg printenv may crash over invalid read accesses or report invalid results.

Recommendations To resolve the issue, update the efibootguard library and tools to version v0.15 or later. Additionally, update programs that are statically linked against it. As a temporary workaround, consider avoiding accesses to user variables, specifically modifications to them, until the update is applied. Note that an update of the bootloader EFI executable is not required.