CVE-2022-36765: 
NixOS vulnerability analysis and mitigation

EDK2 contains a vulnerability in the CreateHob() function (CVE-2022-36765) that was disclosed on January 9, 2024. The vulnerability affects EDK2 versions up to and including 202311. This security flaw allows a user to trigger an integer overflow that leads to a buffer overflow via a local network, potentially compromising system security (TianoCore Advisory, NVD).

The vulnerability occurs in the CreateHob() function when aligning the requested size. The function performs the operation 'HobLength = (UINT16)((HobLength + 0x7) & (~0x7))' without proper overflow checks. This can result in CreateHob() returning a smaller HOB (Hand-Off Block) than requested, potentially leading to out-of-bounds HOB accesses. The vulnerability has received a CVSS v3.1 base score of 7.8 (High) from NVD and 7.0 (High) from TianoCore.org (TianoCore Advisory).

Successful exploitation of this vulnerability could result in a compromise of system confidentiality, integrity, and availability. The vulnerability affects the PEI (Pre-EFI Initialization) phase, and while exploitation complexity is considered high, the numerous calls to this function increase the potential attack surface (TianoCore Advisory, NVD).

Patch files were made available through the TianoCore bugzilla (Bug ID 4166) and were integrated into the February 2024 EDK2 release. Several major distributions have released security updates to address this vulnerability, including Ubuntu (versions 20.04 LTS, 22.04 LTS, and 23.10) and Fedora (Ubuntu Security, Fedora Update).