CVE-2021-28216 log

Severity Medium
Remote No
Type Insufficient validation
A security issue has been found in edk2 before version 202111. In the function FpdtStatusCodeListenerPei(), the pointer BootPerformanceTable is read directly from an NVRAM variable ("FirmwarePerformance"). Memory is then updated at that address.  A local attacker may modify the variable at his will, and after reboot the vulnerable code will update memory at the attacker-supplied address.
Group Package Affected Fixed Severity Status Ticket
AVG-2592 edk2-shell 202108-1 202111-1 Medium Fixed