CVE-2021-28216 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	No
Type	Insufficient validation
Description	A security issue has been found in edk2 before version 202111. In the function FpdtStatusCodeListenerPei(), the pointer BootPerformanceTable is read directly from an NVRAM variable ("FirmwarePerformance"). Memory is then updated at that address. A local attacker may modify the variable at his will, and after reboot the vulnerable code will update memory at the attacker-supplied address.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2592	edk2-shell	202108-1	202111-1	Medium	Fixed

References
https://bugzilla.tianocore.org/show_bug.cgi?id=2957 https://edk2.groups.io/g/devel/message/81743 https://github.com/tianocore/edk2/commit/466ebdd2e0919c1538d03cd59833704bd5e1c028