Impact
The vulnerability stems from an incorrect use of sizeof in a kernel reallocation routine for the EFI capsule loader. On 32‑bit PAE systems, the reallocation uses the size of a pointer rather than the size of a 64‑bit physical address, causing the allocated memory to be half the required space. This misallocation can lead to a heap buffer overflow when the kernel stores physical address values, potentially compromising kernel memory integrity. The weakness is classified as CWE‑131, Incorrect Size of Allocation.
Affected Systems
The issue affects Linux kernel implementations that run on 32‑bit systems with Physical Address Extension (PAE) and that include the EFI capsule loader. Specific kernel versions are not listed, but the patch is present in commits after the bug was introduced. Administrators should verify whether their running kernel contains the EFI capsule loader code paths that were patched.
Risk and Exploitability
The flawed allocation may be triggered when the kernel processes EFI capsule data containing physical addresses. An attacker capable of supplying or manipulating such capsule data could cause kernel memory corruption, leading to privilege escalation or denial of service. The CVSS score of 5.5 and the EPSS score of less than 1% indicate moderate severity and a very low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is the injection of malicious EFI capsule data through firmware update mechanisms, which is inferred rather than directly stated.
OpenCVE Enrichment
Debian DLA