VDB

DEBIAN-CVE-2022-28734

DEBIAN-CVE-2022-28734 PUBLISHED CVSS 7 HIGH

Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.

Risk Scores

CVSS 3.1
7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Affected Products

VendorProductVersions
Debian:11grub22.06-2+hurd.2, 2.06-2+hurd.6, 2.06-2+hurd.7
Debian:14grub20, 0, 0
Debian:12grub20, 0, 0
Debian:13grub20, 0, 0

Timeline

  • Jul 20, 2023 CVE Published
  • Apr 28, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›