CVE-2020-25647 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Arbitrary code execution
Description	grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to bypass the Secure Boot mechanism.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1629	grub	2:2.04-10	2:2.06-1	Medium	Fixed

Date	Advisory	Group	Package	Severity	Type
15 Jun 2021	ASA-202106-43	AVG-1629	grub	Medium	multiple issues

References
https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00007.html https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=128c16a682034263eb519c89bc0934eeb6fa8cfa