CVE-2020-15706

Summary

GRUB2 contains a race condition in grub_script_function_create() leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing, leading to arbitrary code execution and secure boot restriction bypass. This issue affects GRUB2 version 2.04 and prior versions.

Affected Software

VendorProductVersion RangeStatus
Ubuntugrub2 in Ubuntu20.04 LTS < 2.04-1ubuntu26.1affected
Ubuntugrub2 in Ubuntu18.04 LTS < 2.02-2ubuntu8.16affected
Ubuntugrub2 in Ubuntu16.04 LTS < 2.02~beta2-36ubuntu3.26affected
Ubuntugrub2 in Ubuntu14.04 ESM < 2.02~beta2-9ubuntu1.20affected

Weaknesses

  • CWE-362: CWE-362 Race Condition (Concurrent Execution using Shared Resource with Improper Synchronization)

ADP Enrichment

CVE Program Container

Additional References

References