VDB
CVE-2023-40238
CVE-2023-40238
PUBLISHED
BRLY-LOGOFAIL-2023-001 Medium CVE-2023-40238 BINARLY efiXplorer team has discovered a memory contents leak / information disclosure vulnerability. BmpHeader->ImageOffset is not validated during parsing of arbitrary BMP file on Insyde firmware. The attacker can make it as high as 0xFFFFFFFF and thus display the contents of physical memory (in the form of pixels).
EPSS 0.18% · 39.6th percentile
Risk Scores
EPSS Score
0.18%
39.6th percentile
Exploit Intelligence
- Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access (binarly)
- https://binarly.io/posts/finding_logofail_the_dangers_of_image_parsing_during_system_boot/index.html (nist-nvd)
- [BRLY-2023-006] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access. (binarly)
Timeline
- Dec 6, 2023 CVE Published
- Dec 7, 2023 EPSS Score
- Jan 5, 2024 EPSS Score
- Feb 4, 2024 EPSS Score
- Mar 4, 2024 EPSS Score
- Apr 3, 2024 EPSS Score
- May 2, 2024 EPSS Score
- Jun 1, 2024 EPSS Score
- Jun 30, 2024 EPSS Score
- Jul 30, 2024 EPSS Score
- Aug 28, 2024 EPSS Score
- Sep 27, 2024 EPSS Score
References
- [BRLY-2023-006] Multiple vulnerabilities in image parsing functions can be exploited by an attacker with local access. advisory
- [BRLY-LOGOFAIL-2023-012] Memory Corruption vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-011] Memory contents leak / information disclosure vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-009] Out-of-bounds Read in DXE driver advisory
- [BRLY-LOGOFAIL-2023-010] Null Pointer Dereference in DXE driver advisory
- [BRLY-LOGOFAIL-2023-008] Null Pointer Dereference in DXE driver advisory
- [BRLY-LOGOFAIL-2023-006] Memory Corruption vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-001] Memory contents leak / information disclosure vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-007] Memory Corruption vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-005] Out-of-bounds Read in DXE driver advisory
- [BRLY-LOGOFAIL-2023-003] Memory Corruption vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-002] Memory Corruption vulnerability in DXE driver advisory
- [BRLY-LOGOFAIL-2023-004] Memory Corruption vulnerability in DXE driver advisory
- Memory Corruption vulnerability in DXE driver. advisory
- Memory contents leak / information disclosure vulnerability in DXE driver. advisory
- Null Pointer Dereference in DXE driver. advisory
- Out-of-bounds Read in DXE driver. advisory
- Null Pointer Dereference in DXE driver. advisory
- Memory Corruption vulnerability in DXE driver. advisory
- Memory Corruption vulnerability in DXE driver. advisory
…and 6 more