CVE-2021-3696
Publication date 6 July 2022
Last updated 24 July 2024
Ubuntu priority
A heap out-of-bounds write may heppen during the handling of Huffman tables in the PNG reader. This may lead to data corruption in the heap space. Confidentiality, Integrity and Availablity impact may be considered Low as it's very complex to an attacker control the encoding and positioning of corrupted Huffman entries to achieve results such as arbitrary code execution and/or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| grub2 | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
|
| grub2-signed | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 1.187.3~22.04.1
|
|
| 20.04 LTS focal |
Fixed 1.187.3~20.04.1
|
|
| 18.04 LTS bionic |
Fixed 1.187.3~18.04.1
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty |
Vulnerable
|
|
| grub2-unsigned | 24.04 LTS noble |
Not affected
|
| 22.04 LTS jammy |
Fixed 2.06-2ubuntu14.1
|
|
| 20.04 LTS focal |
Fixed 2.06-2ubuntu14.1
|
|
| 18.04 LTS bionic |
Fixed 2.06-2ubuntu14.1
|
|
| 16.04 LTS xenial |
Vulnerable
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.5 · Medium
|
| Attack vector | Local |
| Attack complexity | High |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | Low |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
References
Related Ubuntu Security Notices (USN)
- USN-6355-1
- GRUB2 vulnerabilities
- 8 September 2023