CVE-2024-45782

CVE-2024-45782 is a heap-based out-of-bounds write vulnerability in the HFS filesystem driver within GRUB. The flaw occurs during the mounting of an HFS volume at grub_fs_mount(), where the driver uses strcpy() on a user-provided volume name without validating its length. This can corrupt sensitive data structures in GRUB, potentially leading to a bypass of secure boot protections. The vulnerability is associated with CWE-787 and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges can exploit this vulnerability by providing a maliciously crafted HFS volume name during the mount process. Successful exploitation enables a heap-based out-of-bounds write, which impacts the integrity of GRUB's sensitive data. This could allow the attacker to manipulate boot processes, ultimately bypassing secure boot mechanisms and potentially executing unauthorized code during system startup.

Red Hat has issued an advisory at https://access.redhat.com/security/cve/CVE-2024-45782 and documented the issue in Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2345858, where practitioners can find details on affected versions and recommended patches or mitigations.