CVE Vulnerabilities

CVE-2024-2312

Use After Free

Published: Apr 05, 2024 | Modified: Aug 26, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.7 MODERATE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

GRUB2 does not call the module fini functions on exit, leading to Debian/Ubuntus peimage GRUB2 module leaving UEFI system table hooks after exit. This lead to a use-after-free condition, and could possibly lead to secure boot bypass.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name Vendor Start Version End Version
Grub2 Gnu * 2.12-1ubuntu5 (excluding)
Grub2 Ubuntu bionic *
Grub2 Ubuntu esm-infra-legacy/trusty *
Grub2 Ubuntu trusty *
Grub2 Ubuntu trusty/esm *
Grub2 Ubuntu xenial *
Grub2-signed Ubuntu bionic *
Grub2-signed Ubuntu devel *
Grub2-signed Ubuntu esm-infra-legacy/trusty *
Grub2-signed Ubuntu mantic *
Grub2-signed Ubuntu noble *
Grub2-signed Ubuntu oracular *
Grub2-signed Ubuntu trusty *
Grub2-signed Ubuntu trusty/esm *
Grub2-signed Ubuntu xenial *
Grub2-unsigned Ubuntu bionic *
Grub2-unsigned Ubuntu devel *
Grub2-unsigned Ubuntu mantic *
Grub2-unsigned Ubuntu noble *
Grub2-unsigned Ubuntu oracular *
Grub2-unsigned Ubuntu trusty *
Grub2-unsigned Ubuntu xenial *

Potential Mitigations

References