VDB

ALPINE-CVE-2021-3697

ALPINE-CVE-2021-3697 PUBLISHED CVSS 7 HIGH

A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.

Risk Scores

CVSS v3.1
7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.21grub2.02_beta3-r3, 2.06-r0, 2.02-r4
Alpine:v3.18grub2.02-r1, 2.02-r19, *
Alpine:v3.23grub2.06-r6, 0, 2.02-r0
Alpine:v3.22grub2.04-r0, 2.06-r9, 2.06-r8
Alpine:v3.15grub2.02-r19, 2.02-r0, 2.02-r10
Alpine:v3.16grub2.02_beta3-r2, 2.02_beta3-r3, 2.02_beta3-r4
Alpine:v3.19grub2.02-r10, 2.02-r1, 2.02-r0
Alpine:v3.20grub2.02-r7, 2.02-r4, 2.02-r3
Alpine:v3.17grub2.02-r16, 2.02-r0, *

Timeline

  • Jul 6, 2022 CVE Published
  • Dec 3, 2025 CVE Updated
  • Apr 30, 2026 Distribution Patch

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›