CVE-2014-4860

Multiple integer overflows in the Pre-EFI Initialization (PEI) boot phase in the Capsule Update feature in the UEFI implementation in EDK2 allow physically proximate attackers to bypass intended access restrictions by providing crafted data that is not properly handled during the coalescing phase.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.8 MEDIUM
PHYSICAL
LOW
NONE
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
VendorProductVersion
tianocoreedk2
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
edk2
bullseye (security)
2020.11-2+deb11u2
fixed
bullseye
2020.11-2+deb11u2
fixed
bookworm
2022.11-6+deb12u1
fixed
bookworm (security)
2022.11-6+deb12u1
fixed
sid
2024.08-4
fixed
trixie
2024.08-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
edk2
vivid
not-affected
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://www.kb.cert.org/vuls/id/552286
http://www.kb.cert.org/vuls/id/552286