
Cloud Vulnerability DB
A community-led vulnerabilities database
A vulnerability was discovered in GRUB2 (CVE-2021-3695) where a crafted 16-bit grayscale PNG image could lead to an out-of-bounds write in the heap area. The vulnerability affects GRUB2 versions prior to grub-2.12 and was disclosed in August 2021 (CVE Details, Red Hat Bugzilla).
The vulnerability involves an out-of-bounds write in the heap area when processing specially crafted 16-bit grayscale PNG images. The issue has high complexity for exploitation as an attacker needs to perform triage over the heap layout to achieve significant results. Additionally, the values written into memory are repeated three times in a row, making it difficult to produce valid payloads. The vulnerability has been assigned a CVSS score of 4.5 (MEDIUM) with the vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L (NetApp Advisory).
Successful exploitation of this vulnerability could lead to heap data corruption or potentially arbitrary code execution, allowing an attacker to circumvent secure boot protections. The impact includes potential disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory, CVE Details).
The vulnerability has been fixed in GRUB2 version 2.12 and later. Various Linux distributions have released security updates to address this issue. Users are advised to upgrade to the patched versions through their respective package managers. For Ubuntu systems, updates are available for versions 20.04 and 22.04 (Ubuntu Security Notice).
Source: This report was generated using AI
Free Vulnerability Assessment
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
"We know that if Wiz identifies something as critical, it actually is."