cvelistv5 - cve-2021-38576

CVE-2021-38576 (GCVE-0-2021-38576)

Vulnerability from cvelistv5 – Published: 2022-01-03 21:07 – Updated: 2025-11-03 19:26

Summary

A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.

Severity ?

No CVSS data available.

CWE

Security Feature Bypass

Assigner

TianoCore

References

URL

Tags

https://bugzilla.tianocore.org/show_bug.cgi?id=3499

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	n/a	EDK II	Affected: edk2-stable202105, edk2-stable202102, edk2-stable202011, edk2-stable202008, edk2-stable202005, edk2-stable202002, edk2-stable201911, edk2-stable201908, edk2-stable201905, edk2-stable201903, edk2-stable201811, edk2-stable201808

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:26:14.574Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "EDK II",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "edk2-stable202105, edk2-stable202102, edk2-stable202011, edk2-stable202008, edk2-stable202005, edk2-stable202002, edk2-stable201911, edk2-stable201908, edk2-stable201905, edk2-stable201903, edk2-stable201811, edk2-stable201808"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Security Feature Bypass",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-03T21:07:45.000Z",
        "orgId": "65518388-201a-4f93-8712-366d21fe8d2c",
        "shortName": "TianoCore"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "infosec@edk2.groups.io",
          "ID": "CVE-2021-38576",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "EDK II",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "edk2-stable202105, edk2-stable202102, edk2-stable202011, edk2-stable202008, edk2-stable202005, edk2-stable202002, edk2-stable201911, edk2-stable201908, edk2-stable201905, edk2-stable201903, edk2-stable201811, edk2-stable201808"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Security Feature Bypass"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499",
              "refsource": "MISC",
              "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "65518388-201a-4f93-8712-366d21fe8d2c",
    "assignerShortName": "TianoCore",
    "cveId": "CVE-2021-38576",
    "datePublished": "2022-01-03T21:07:45.000Z",
    "dateReserved": "2021-08-11T00:00:00.000Z",
    "dateUpdated": "2025-11-03T19:26:14.574Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201808:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8757385B-6944-488F-B565-417A37C24774\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201811:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E5C29B4B-635D-498E-BFA0-C99810C7867F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201903:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A599E9E7-B318-4C66-A2F8-6137DE9EF8AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201905:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A3F577A-A397-4185-B477-C31065B6F598\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201908:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"76E6EC0C-BA9E-47AD-9A8E-D40BE97CAAFA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:201911:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2AFB7F1-63CF-4E11-8FD5-1E8D054616CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202002:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"02217318-D1DB-41BB-BE48-89BC3F0FA38C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202005:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5193EFCE-3330-48FA-8C63-4CE328A2D339\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202008:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C45BEB6-1F89-4813-B2CF-90639F9CE525\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202011:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C76CE4FB-3BDE-464B-9807-093839D6DB24\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202102:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"063761E2-5C4D-480F-90FE-41D5ECC35E94\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:tianocore:edk2:202105:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07F01519-D5C8-4BEE-A89B-8090F9A415CF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.\"}, {\"lang\": \"es\", \"value\": \"Un error de la BIOS en el firmware de un determinado modelo de PC deja vac\\u00edo el valor de autorizaci\\u00f3n de la plataforma. Esto puede ser usado para brickear permanentemente el TPM de m\\u00faltiples maneras, as\\u00ed como para DoS no permanente del sistema\"}]",
      "id": "CVE-2021-38576",
      "lastModified": "2024-11-21T06:17:33.457",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:C\", \"baseScore\": 7.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2022-01-03T22:15:09.903",
      "references": "[{\"url\": \"https://bugzilla.tianocore.org/show_bug.cgi?id=3499\", \"source\": \"infosec@edk2.groups.io\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.tianocore.org/show_bug.cgi?id=3499\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Permissions Required\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "infosec@edk2.groups.io",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-38576\",\"sourceIdentifier\":\"infosec@edk2.groups.io\",\"published\":\"2022-01-03T22:15:09.903\",\"lastModified\":\"2025-11-03T20:15:49.640\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.\"},{\"lang\":\"es\",\"value\":\"Un error de la BIOS en el firmware de un determinado modelo de PC deja vac\u00edo el valor de autorizaci\u00f3n de la plataforma. Esto puede ser usado para brickear permanentemente el TPM de m\u00faltiples maneras, as\u00ed como para DoS no permanente del sistema\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:C\",\"baseScore\":7.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201808:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8757385B-6944-488F-B565-417A37C24774\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201811:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5C29B4B-635D-498E-BFA0-C99810C7867F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201903:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A599E9E7-B318-4C66-A2F8-6137DE9EF8AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201905:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A3F577A-A397-4185-B477-C31065B6F598\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201908:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"76E6EC0C-BA9E-47AD-9A8E-D40BE97CAAFA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:201911:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2AFB7F1-63CF-4E11-8FD5-1E8D054616CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202002:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"02217318-D1DB-41BB-BE48-89BC3F0FA38C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202005:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5193EFCE-3330-48FA-8C63-4CE328A2D339\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202008:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C45BEB6-1F89-4813-B2CF-90639F9CE525\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202011:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C76CE4FB-3BDE-464B-9807-093839D6DB24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202102:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"063761E2-5C4D-480F-90FE-41D5ECC35E94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:tianocore:edk2:202105:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07F01519-D5C8-4BEE-A89B-8090F9A415CF\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.tianocore.org/show_bug.cgi?id=3499\",\"source\":\"infosec@edk2.groups.io\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.tianocore.org/show_bug.cgi?id=3499\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Permissions Required\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

GSD-2021-38576

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-38576

Aliases

CVE-2021-38576

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-38576",
    "description": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.",
    "id": "GSD-2021-38576"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-38576"
      ],
      "details": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.",
      "id": "GSD-2021-38576",
      "modified": "2023-12-13T01:23:17.592817Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "infosec@edk2.groups.io",
        "ID": "CVE-2021-38576",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "EDK II",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "edk2-stable202105, edk2-stable202102, edk2-stable202011, edk2-stable202008, edk2-stable202005, edk2-stable202002, edk2-stable201911, edk2-stable201908, edk2-stable201905, edk2-stable201903, edk2-stable201811, edk2-stable201808"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Security Feature Bypass"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499",
            "refsource": "MISC",
            "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201808:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201811:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201903:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201905:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201908:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:201911:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202002:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202005:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202008:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202011:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202102:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:tianocore:edk2:202105:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "infosec@edk2.groups.io",
          "ID": "CVE-2021-38576"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Permissions Required",
                "Third Party Advisory"
              ],
              "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-01-13T16:21Z",
      "publishedDate": "2022-01-03T22:15Z"
    }
  }
}

FKIE_CVE-2021-38576

Vulnerability from fkie_nvd - Published: 2022-01-03 22:15 - Updated: 2025-11-03 20:15

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
infosec@edk2.groups.io	https://bugzilla.tianocore.org/show_bug.cgi?id=3499	Issue Tracking, Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.tianocore.org/show_bug.cgi?id=3499	Issue Tracking, Permissions Required, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html

Impacted products

Vendor	Product	Version
tianocore	edk2	201808
tianocore	edk2	201811
tianocore	edk2	201903
tianocore	edk2	201905
tianocore	edk2	201908
tianocore	edk2	201911
tianocore	edk2	202002
tianocore	edk2	202005
tianocore	edk2	202008
tianocore	edk2	202011
tianocore	edk2	202102
tianocore	edk2	202105

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201808:*:*:*:*:*:*:*",
              "matchCriteriaId": "8757385B-6944-488F-B565-417A37C24774",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201811:*:*:*:*:*:*:*",
              "matchCriteriaId": "E5C29B4B-635D-498E-BFA0-C99810C7867F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201903:*:*:*:*:*:*:*",
              "matchCriteriaId": "A599E9E7-B318-4C66-A2F8-6137DE9EF8AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201905:*:*:*:*:*:*:*",
              "matchCriteriaId": "5A3F577A-A397-4185-B477-C31065B6F598",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201908:*:*:*:*:*:*:*",
              "matchCriteriaId": "76E6EC0C-BA9E-47AD-9A8E-D40BE97CAAFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:201911:*:*:*:*:*:*:*",
              "matchCriteriaId": "B2AFB7F1-63CF-4E11-8FD5-1E8D054616CF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202002:*:*:*:*:*:*:*",
              "matchCriteriaId": "02217318-D1DB-41BB-BE48-89BC3F0FA38C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202005:*:*:*:*:*:*:*",
              "matchCriteriaId": "5193EFCE-3330-48FA-8C63-4CE328A2D339",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202008:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C45BEB6-1F89-4813-B2CF-90639F9CE525",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202011:*:*:*:*:*:*:*",
              "matchCriteriaId": "C76CE4FB-3BDE-464B-9807-093839D6DB24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202102:*:*:*:*:*:*:*",
              "matchCriteriaId": "063761E2-5C4D-480F-90FE-41D5ECC35E94",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:tianocore:edk2:202105:*:*:*:*:*:*:*",
              "matchCriteriaId": "07F01519-D5C8-4BEE-A89B-8090F9A415CF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system."
    },
    {
      "lang": "es",
      "value": "Un error de la BIOS en el firmware de un determinado modelo de PC deja vac\u00edo el valor de autorizaci\u00f3n de la plataforma. Esto puede ser usado para brickear permanentemente el TPM de m\u00faltiples maneras, as\u00ed como para DoS no permanente del sistema"
    }
  ],
  "id": "CVE-2021-38576",
  "lastModified": "2025-11-03T20:15:49.640",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-01-03T22:15:09.903",
  "references": [
    {
      "source": "infosec@edk2.groups.io",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Permissions Required",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
    }
  ],
  "sourceIdentifier": "infosec@edk2.groups.io",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-H53V-FR53-7VVJ

Vulnerability from github – Published: 2022-01-04 00:00 – Updated: 2025-11-03 21:30

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-38576"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-03T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "A BIOS bug in firmware for a particular PC model leaves the Platform authorization value empty. This can be used to permanently brick the TPM in multiple ways, as well as to non-permanently DoS the system.",
  "id": "GHSA-h53v-fr53-7vvj",
  "modified": "2025-11-03T21:30:36Z",
  "published": "2022-01-04T00:00:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38576"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2023-1451

Vulnerability from csaf_certbund - Published: 2023-06-13 22:00 - Updated: 2025-06-05 22:00

Summary

Insyde UEFI Firmware: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

InsydeH2O UEFI BIOS ist eine proprietäre, lizenzierte UEFI-BIOS-Firmware, die Intel und AMD basierte Computer unterstützt.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Insyde UEFI Firmware ausnutzen, um einen Denial of Service Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen.

Betroffene Betriebssysteme

- BIOS/Firmware

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "InsydeH2O UEFI BIOS ist eine propriet\u00e4re, lizenzierte UEFI-BIOS-Firmware, die Intel und AMD basierte Computer unterst\u00fctzt.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Insyde UEFI Firmware ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- BIOS/Firmware",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-1451 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-1451.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-1451 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-1451"
      },
      {
        "category": "external",
        "summary": "Insyde Software Security Advisories for InsydeH2O UEFI BIOS vom 2023-06-13",
        "url": "https://www.insyde.com/security-pledge"
      },
      {
        "category": "external",
        "summary": "Lenovo Security Advisory LEN-134879 vom 2023-08-09",
        "url": "https://support.lenovo.com/us/en/product_security/LEN-134879"
      },
      {
        "category": "external",
        "summary": "Fujitsu PSIRT Security Notice FCCL-IS-2023-072400 vom 2023-10-09",
        "url": "https://security.ts.fujitsu.com/ProductSecurity/content/Fujitsu-PSIRT-FCCL-IS-2023-072400-Security-Notice.pdf"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4207 vom 2025-06-05",
        "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00007.html"
      }
    ],
    "source_lang": "en-US",
    "title": "Insyde UEFI Firmware: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-06-05T22:00:00.000+00:00",
      "generator": {
        "date": "2025-06-06T08:21:19.961+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2023-1451",
      "initial_release_date": "2023-06-13T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-06-13T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2023-08-08T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von LENOVO aufgenommen"
        },
        {
          "date": "2023-10-09T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von Fujitsu aufgenommen"
        },
        {
          "date": "2025-06-05T22:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "4"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Fujitsu BIOS",
            "product": {
              "name": "Fujitsu BIOS",
              "product_id": "T027696",
              "product_identification_helper": {
                "cpe": "cpe:/a:fujitsu:bios:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Fujitsu"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Insyde UEFI Firmware",
            "product": {
              "name": "Insyde UEFI Firmware",
              "product_id": "T026843",
              "product_identification_helper": {
                "cpe": "cpe:/h:insyde:uefi:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Insyde"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Lenovo BIOS",
            "product": {
              "name": "Lenovo BIOS",
              "product_id": "T005651",
              "product_identification_helper": {
                "cpe": "cpe:/h:lenovo:bios:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "Lenovo Computer",
            "product": {
              "name": "Lenovo Computer",
              "product_id": "T026557",
              "product_identification_helper": {
                "cpe": "cpe:/h:lenovo:computer:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Lenovo"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-38576",
      "product_status": {
        "known_affected": [
          "T005651",
          "2951",
          "T026843",
          "T026557",
          "T027696"
        ]
      },
      "release_date": "2023-06-13T22:00:00.000+00:00",
      "title": "CVE-2021-38576"
    },
    {
      "cve": "CVE-2022-46897",
      "product_status": {
        "known_affected": [
          "T005651",
          "2951",
          "T026843",
          "T026557",
          "T027696"
        ]
      },
      "release_date": "2023-06-13T22:00:00.000+00:00",
      "title": "CVE-2022-46897"
    },
    {
      "cve": "CVE-2023-26090",
      "product_status": {
        "known_affected": [
          "T005651",
          "2951",
          "T026843",
          "T026557",
          "T027696"
        ]
      },
      "release_date": "2023-06-13T22:00:00.000+00:00",
      "title": "CVE-2023-26090"
    }
  ]
}

CNVD-2022-11500

Vulnerability from cnvd - Published: 2022-02-18

Title

Tianocore EDK II存在未明漏洞

Description

Tianocore Edk2是Tianocore社区的一个遵循UEFI和PI规范的跨平台固件开发环境。 Tianocore EDK II存在安全漏洞，攻击者可利用该漏洞以多种方式永久地阻止TPM，以及非永久地DoS系统。

Severity

高

Patch Name

Tianocore EDK II存在未明漏洞的补丁

Patch Description

Tianocore Edk2是Tianocore社区的一个遵循UEFI和PI规范的跨平台固件开发环境。 Tianocore EDK II存在安全漏洞，攻击者可利用该漏洞以多种方式永久地阻止TPM，以及非永久地DoS系统。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://bugzilla.tianocore.org/show_bug.cgi?id=3499

Reference

https://bugzilla.tianocore.org/show_bug.cgi?id=3499

Impacted products

Name
tianocore EDK II

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-38576"
    }
  },
  "description": "Tianocore Edk2\u662fTianocore\u793e\u533a\u7684\u4e00\u4e2a\u9075\u5faaUEFI\u548cPI\u89c4\u8303\u7684\u8de8\u5e73\u53f0\u56fa\u4ef6\u5f00\u53d1\u73af\u5883\u3002\n\nTianocore EDK II\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u591a\u79cd\u65b9\u5f0f\u6c38\u4e45\u5730\u963b\u6b62TPM\uff0c\u4ee5\u53ca\u975e\u6c38\u4e45\u5730DoS\u7cfb\u7edf\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://bugzilla.tianocore.org/show_bug.cgi?id=3499",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-11500",
  "openTime": "2022-02-18",
  "patchDescription": "Tianocore Edk2\u662fTianocore\u793e\u533a\u7684\u4e00\u4e2a\u9075\u5faaUEFI\u548cPI\u89c4\u8303\u7684\u8de8\u5e73\u53f0\u56fa\u4ef6\u5f00\u53d1\u73af\u5883\u3002\r\n\r\nTianocore EDK II\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4ee5\u591a\u79cd\u65b9\u5f0f\u6c38\u4e45\u5730\u963b\u6b62TPM\uff0c\u4ee5\u53ca\u975e\u6c38\u4e45\u5730DoS\u7cfb\u7edf\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Tianocore EDK II\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "tianocore EDK II"
  },
  "referenceLink": "https://bugzilla.tianocore.org/show_bug.cgi?id=3499",
  "serverity": "\u9ad8",
  "submitTime": "2022-01-05",
  "title": "Tianocore EDK II\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-38576 (GCVE-0-2021-38576)

GSD-2021-38576

FKIE_CVE-2021-38576

GHSA-H53V-FR53-7VVJ

WID-SEC-W-2023-1451

CNVD-2022-11500

Tags

Sightings

Nomenclature