What is GHSA-c8f6-x9xm-x27g?

GHSA-c8f6-x9xm-x27g is a security advisory published by GitHub Security Advisories with High severity. A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead...

Which CVE IDs does GHSA-c8f6-x9xm-x27g cover?

GHSA-c8f6-x9xm-x27g covers the following CVE IDs: CVE-2022-2601. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-c8f6-x9xm-x27g?

GHSA-c8f6-x9xm-x27g has a CVSS v3 base score of 8.6, published by GitHub Security Advisories.

GHSA-c8f6-x9xm-x27gHighCVSS 8.6

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead...

Vendor

GitHub Security Advisories

Published

December 14, 2022

Last Modified

May 27, 2026

🔗 CVE IDs covered (1)

CVE-2022-2601 →

📋 Description

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism.

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2022-2601
https://bugzilla.redhat.com/show_bug.cgi?id=2112975#c0
https://security.gentoo.org/glsa/202311-14
https://arstechnica.com/security/2024/08/a-patch-microsoft-spent-2-years-preparing-is-making-a-mess-for-some-linux-users
https://security.netapp.com/advisory/ntap-20230203-0004
https://github.com/advisories/GHSA-c8f6-x9xm-x27g