Intel Corporation Information for VU#533140

Tianocore UEFI implementation reclaim function vulnerable to buffer overflow

Status

Not Affected

Vendor Statement

The originally reported issue in FSVariable.c only affects functionality where variable storage is emulated by an OS file system; it is not intended for production use. However, the same logic is used in other locations that are used in production.

    Intel introduced changes in the EDK2 implementation (SVN 16280) and independently notified OEMs and BIOS vendors about this issue. Note that this issue would not normally be exposed; a separate vulnerability must allow modification of the non-volatile storage usually located on SPI flash, allowing the attacker to introduce valid variable headers after the end of the variable storage area.

    At this time, Intel is not aware of any Intel-branded products that are affected by this issue.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    Vendor References

    None

    Addendum

    There are no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.