VDB

CVE-2020-14309

CVE-2020-14309 PUBLISHED

There's an issue with grub2 in all versions before 2.06 when handling squashfs filesystems containing a symbolic link with name length of UINT32 bytes in size. The name size leads to an arithmetic overflow leading to a zero-size allocation further causing a heap-based buffer overflow with attacker controlled data.

EPSS 0.04% · 14.2th percentile

Risk Scores

EPSS Score
0.04%
14.2th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:14.04:LTSgrub22.02~beta2-9ubuntu1.8, 2.02~beta2-9ubuntu1.11, 2.02~beta2-9ubuntu1.12
Ubuntu:20.04:LTSgrub2-signed0, 1.128, 1.129
Ubuntu:18.04:LTSgrub22.02-2ubuntu8.2, 2.02-2ubuntu8.15, 2.02-2ubuntu8.14
Ubuntu:20.04:LTSgrub2-unsigned2.04-1ubuntu44, 0, 2.04-1ubuntu44.2
Ubuntu:Pro:14.04:LTSgrub2-signed1.34.20, 1.34.18, 1.34.17
Ubuntu:16.04:LTSgrub2-signed1.65, 1.66.7, 1.66.23
Ubuntu:18.04:LTSgrub2-signed1.93, 0, 1.85
Ubuntu:16.04:LTSgrub2-unsigned2.04-1ubuntu44.1.2, 2.04-1ubuntu44.1, 2.04-1ubuntu44
Ubuntu:16.04:LTSgrub2*, 0, *
Ubuntu:18.04:LTSgrub2-unsigned2.04-1ubuntu44.1.2, 2.04-1ubuntu44.1, 2.04-1ubuntu44
Ubuntu:20.04:LTSgrub20, 2.04-1ubuntu25, 2.04-1ubuntu18

Timeline

  • Jul 29, 2020 CVE Published
  • Apr 14, 2021 EPSS Score
  • Jun 22, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 25, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 27, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 2, 2022 EPSS Score
  • Sep 4, 2022 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›