Vulnerability in Gnu Grub2

CVE-2024-56738

GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.

EPSS: 0.000 (11.7th percentile) — read the EPSS interpretation.

Affected products

Gnu Grub2 — versions 2.00

Weakness classification (CWE)

CWE-208

Public proof-of-concept exploits

yo-yo-yo-jbo/yo-yo-yo-jbo.github.io

References

savannah.gnu.org/bugs/

Frequently asked questions

What is CVE-2024-56738?: CVE-2024-56738 is a vulnerability in Gnu Grub2, classified under CWE-208. Published 2024-12-29.
Is CVE-2024-56738 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.