CVE-2021-3697

Name of the Vulnerable Software and Affected Versions grub2 versions prior to 2.12

Description A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To successfully exploit this issue, an attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This can lead to data corruption and eventual code execution or secure boot circumvention. The exploitation allows an attacker to access confidential data, compromise their integrity, and cause a denial of service using a specially crafted JPEG image.

Recommendations For versions prior to 2.12, update to version 2.12 or later to resolve the issue. As a temporary workaround, consider restricting the use of JPEG images in the grub2 environment until a patch is available. Avoid using maliciously crafted JPEG images to minimize the risk of exploitation. At the moment, there is no other information about additional mitigation measures.