GHSA-HM2W-VR2P-HQ7W

Vulnerability from github – Published: 2026-04-16 01:31 – Updated: 2026-04-16 01:31
VLAI?
Summary
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
Details

uefi-firmware contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, ReadCLen() reads Number = GetBits(Sd, CBIT) with CBIT = 9, so Number can be as large as 511, while the destination array Sd->mCLen has NC = 510 elements. the loop writes while Index < Number without enforcing Index < NC. additionally, the CharC == 2 run-length path performs GetBits(Sd, 9) + 20, allowing up to 531 zero writes through Sd->mCLen[Index++] = 0.

Reachability is through the normal parsing path: CompressedSection.process() -> efi_compressor.TianoDecompress() -> TianoDecompress() -> DecodeC() -> ReadCLen().

Minimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "uefi-firmware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:31:09Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "`uefi-firmware` contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `ReadCLen()` reads `Number = GetBits(Sd, CBIT)` with `CBIT = 9`, so `Number` can be as large as `511`, while the destination array `Sd-\u003emCLen` has `NC = 510` elements. the loop writes while `Index \u003c Number` without enforcing `Index \u003c NC`. additionally, the `CharC == 2` run-length path performs `GetBits(Sd, 9) + 20`, allowing up to `531` zero writes through `Sd-\u003emCLen[Index++] = 0`.\n\nReachability is through the normal parsing path: `CompressedSection.process()` -\u003e `efi_compressor.TianoDecompress()` -\u003e `TianoDecompress()` -\u003e `DecodeC()` -\u003e `ReadCLen()`.\n\nMinimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.\n\n- PR: \u003chttps://github.com/theopolis/uefi-firmware-parser/pull/145\u003e\n- fix commit: \u003chttps://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e\u003e\n- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735",
  "id": "GHSA-hm2w-vr2p-hq7w",
  "modified": "2026-04-16T01:31:09Z",
  "published": "2026-04-16T01:31:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/security/advisories/GHSA-hm2w-vr2p-hq7w"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/pull/145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/theopolis/uefi-firmware-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.