CVE-2020-15706 GRUB2 contains a race condition leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing.

2020-07-2900:00:00

CWE-362

canonical

www.cve.org

6.4 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

7.6 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

62.0%

JSON

GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions.

CNA Affected

[
  {
    "product": "grub2 in Ubuntu",
    "vendor": "Ubuntu",
    "versions": [
      {
        "lessThan": "2.04-1ubuntu26.1",
        "status": "affected",
        "version": "20.04 LTS",
        "versionType": "custom"
      },
      {
        "lessThan": "2.02-2ubuntu8.16",
        "status": "affected",
        "version": "18.04 LTS",
        "versionType": "custom"
      },
      {
        "lessThan": "2.02~beta2-36ubuntu3.26",
        "status": "affected",
        "version": "16.04 LTS",
        "versionType": "custom"
      },
      {
        "lessThan": "2.02~beta2-9ubuntu1.20",
        "status": "affected",
        "version": "14.04 ESM",
        "versionType": "custom"
      }
    ]
  }
]