CVE-2024-1298
Published: June 3, 2024Last modified: June 4, 2025
Description
EDK2 contains a vulnerability when S3 sleep is activated where an Attacker may cause a Division-By-Zero due to a UNIT32 overflow via local access. A successful exploit of this vulnerability may lead to a loss of Availability.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6 |
| Attack Vector | LOCAL |
| Attack complexity | LOW |
| Privileges required | HIGH |
| User interaction | NONE |
| Scope | CHANGED |
| Confidentiality | NONE |
| Integrity impact | NONE |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H |
Notes
The bug is present in 202405 and earlier. The bug is fixed in edk2-stable202405 We still have 202308. Debian points to the commit with the fix: https://github.com/tianocore/edk2/commit/284dbac43da752ee34825c8b3f6f9e8281cb5a19
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | edk2 | Vulnerable (0.0.202208-r0) |
| Stream | edk2 | Vulnerable (0.0.202302-r0) |
References
- https://github.com/tianocore/edk2/security/advisories/GHSA-chfw-xj8f-6m53
- https://lists.fedoraproject.org/archives/list/[email protected]/message/F7NUL7NSZQ76A5OKDUCODQNY7WSX4SST/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/VIMEZWDKEIQKU7NMHKL57DOCITPGEXYN/
- https://security.netapp.com/advisory/ntap-20250306-0002/