CVE-2015-8370

Publication date 11 December 2015

Last updated 30 May 2025

Ubuntu priority

Cvss 3 Severity Score

Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an “Off-by-two” or “Out of bounds overwrite” memory error.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
grub2	15.10 wily	Fixed 2.02~beta2-29ubuntu0.2
	15.04 vivid	Fixed 2.02~beta2-22ubuntu1.4
	14.04 LTS trusty	Fixed 2.02~beta2-9ubuntu1.6
	12.04 LTS precise	Fixed 1.99-21ubuntu3.19

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
grub2	Distro: https://bugzilla.redhat.com/attachment.cgi?id=1100986&action=diff

Severity score breakdown

Parameter	Value
Base score	7.4 · High
Attack vector	Local
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-2836-1
GRUB vulnerability
15 December 2015