{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-45775", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-08T01:57:12.947Z", "datePublished": "2025-02-18T19:25:40.364Z", "dateUpdated": "2025-08-30T22:17:56.328Z"}, "containers": {"cna": {"title": "Grub2: commands/extcmd: missing check for failed allocation", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data."}], "affected": [{"versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.12"}], "packageName": "grub2", "collectionURL": "https://ftp.gnu.org/gnu/grub/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "grub2", "defaultStatus": "affected", "versions": [{"version": "1:2.06-104.el9_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "grub2", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "grub2", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "grub2", "defaultStatus": "affected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhcos", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:openshift:4"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:6990", "name": "RHSA-2025:6990", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-45775", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337481", "name": "RHBZ#2337481", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2025-01-28T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-252", "description": "Unchecked Return Value", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-252: Unchecked Return Value", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-01-13T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-28T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-30T22:17:56.328Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-19T14:42:30.676203Z", "id": "CVE-2024-45775", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T15:15:35.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-45775", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-19T14:42:30.676203Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-19T14:42:32.168Z"}}], "cna": {"title": "Grub2: commands/extcmd: missing check for failed allocation", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.12"}], "packageName": "grub2", "collectionURL": "https://ftp.gnu.org/gnu/grub/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "1:2.06-104.el9_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "grub2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "grub2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "grub2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "grub2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:openshift:4"], "vendor": "Red Hat", "product": "Red Hat OpenShift Container Platform 4", "packageName": "rhcos", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2025-01-13T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-28T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-01-28T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:6990", "name": "RHSA-2025:6990", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-45775", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337481", "name": "RHBZ#2337481", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-252", "description": "Unchecked Return Value"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-08-30T22:17:56.328Z"}, "x_redhatCweChain": "CWE-252: Unchecked Return Value"}}, "cveMetadata": {"cveId": "CVE-2024-45775", "state": "PUBLISHED", "dateUpdated": "2025-08-30T22:17:56.328Z", "dateReserved": "2024-09-08T01:57:12.947Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-02-18T19:25:40.364Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en GRUB2 donde la funci\u00f3n Grub_extCMD_DISPATCHER () llama a Grub_arg_List_Alloc () para asignar memoria para la lista de argumentos de GRUB. Sin embargo, no se verifica en caso de que la asignaci\u00f3n de memoria falle. Una vez que la asignaci\u00f3n falla, la funci\u00f3n NULL se procesar\u00e1 mediante la funci\u00f3n parse_option (), lo que lleva a la comida a bloquear o, en algunos escenarios raros, corrompe los datos IVT."}], "id": "CVE-2024-45775", "lastModified": "2025-05-13T20:15:24.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 4.7, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-02-18T20:15:19.177", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:6990"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-45775"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337481"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-252"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:6990", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "grub2-1:2.06-104.el9_6", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-13T00:00:00Z"}], "bugzilla": {"description": "grub2: commands/extcmd: Missing check for failed allocation", "id": "2337481", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337481"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "status": "verified"}, "cwe": "CWE-252", "details": ["A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data.", "A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-45775", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "grub2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "grub2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "grub2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Fix deferred", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-45775\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-45775"], "statement": "Red Hat has classified this vulnerability with a Moderate severity due to the high privileges needed to exploit this flaw. Additionally, the attack vector is considered local, further limiting exploitation of this issue.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-252: Unchecked Return Value vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nReturn values from critical operations are consistently evaluated through enforced development standards and automated static analysis, reducing the likelihood of logic flaws or silent failures reaching production. Error-handling routines are integrated into application behavior to ensure that failures are properly logged, traced, and contained, maintaining system stability under fault conditions. Additionally, the platform is designed to respond to errors predictably, preventing uncontrolled behavior and ensuring that processes fail in a known, recoverable state.", "threat_severity": "Moderate"}