PT-2022-5490 · Grub2+9 · Grub2+9

Marco Benatto

·

Published

2022-11-15

·

Updated

2026-06-01

·

CVE-2022-2601

CVSS v3.1

8.6

High

VectorAV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions GRUB2 (affected versions not specified)
Description A buffer overflow was found in the grub font construct glyph() function. A maliciously crafted pf2 font can lead to an overflow when calculating the max glyph size value, allocating a smaller than needed buffer for the glyph, which further leads to a buffer overflow and a heap-based out-of-bounds write. An attacker may use this issue to circumvent the secure boot mechanism. The vulnerability can be exploited to affect the system.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider disabling the Secure Boot feature or deleting the Microsoft SBAT to mitigate the issue.

DoS

Heap Based Buffer Overflow

Memory Corruption

Weakness Enumeration

CWE-122CWE-787

Related Identifiers

ALSA-2023:0049
ALSA-2023:0752
ALT-PU-2023-1427
ALT-PU-2023-6074
ALT-PU-2024-11222
AZL-11604
AZL-34787
BDU:2022-06819
CESA-2023_0049
CVE-2022-2601
DLA-3190-1
DLA-3190-2
DSA-5280-1
OESA-2022-2118
OPENSUSE-SU-2022_4141-1
OPENSUSE-SU-2022_4219-1
OPENSUSE-SU-2024:12517-1
RHSA-2022:8494
RHSA-2022:8800
RHSA-2022:8978
RHSA-2023:0047
RHSA-2023:0048
RHSA-2023:0049
RHSA-2023:0752
RHSA-2023_0049
RHSA-2023_0752
RHSA-2024:2002
RHSA-2024_2002
RLSA-2023:0049
RLSA-2023:0752
ROSA-SA-2024-2348
ROSA-SA-2024-2461
ROSA-SA-2025-2894
SUSE-SU-2022:4140-1
SUSE-SU-2022:4141-1
SUSE-SU-2022:4142-1
SUSE-SU-2022:4143-1
SUSE-SU-2022:4144-1
SUSE-SU-2022:4218-1
SUSE-SU-2022:4219-1
SUSE-SU-2022:4302-1
SUSE-SU-2022_4140-1
SUSE-SU-2022_4141-1
SUSE-SU-2022_4142-1
SUSE-SU-2022_4143-1
SUSE-SU-2022_4144-1
SUSE-SU-2022_4218-1
SUSE-SU-2022_4219-1
SUSE-SU-2022_4302-1
SUSE-SU-2023:1701-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Grub2
Red Hat
Red Os
Rocky Linux
Suse
Windows