GHSA-2689-5P89-6J3J

Vulnerability from github – Published: 2026-04-16 01:30 – Updated: 2026-04-16 01:30
VLAI?
Summary
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable
Details

uefi-firmware contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, MakeTable() does not validate that bit-length values read from the compressed bitstream are within the expected range (0..16). a crafted firmware blob can supply bit lengths greater than 16, causing out-of-bounds writes to the stack-allocated Count[17] array and related decode tables.

reachability is through the normal parsing path: CompressedSection.process() -> efi_compressor.TianoDecompress() -> TianoDecompress() -> ReadPTLen() -> MakeTable().

Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.

References:

Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "uefi-firmware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-16T01:30:48Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "`uefi-firmware` contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `MakeTable()` does not validate that bit-length values read from the compressed bitstream are within the expected range (`0..16`). a crafted firmware blob can supply bit lengths greater than `16`, causing out-of-bounds writes to the stack-allocated `Count[17]` array and related decode tables.\n\nreachability is through the normal parsing path: `CompressedSection.process()` -\u003e `efi_compressor.TianoDecompress()` -\u003e `TianoDecompress()` -\u003e `ReadPTLen()` -\u003e `MakeTable()`.\n\nMinimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.\n\nReferences:\n\n- PR: \u003chttps://github.com/theopolis/uefi-firmware-parser/pull/145\u003e\n- fix commit: \u003chttps://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e\u003e\n- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735",
  "id": "GHSA-2689-5p89-6j3j",
  "modified": "2026-04-16T01:30:48Z",
  "published": "2026-04-16T01:30:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/security/advisories/GHSA-2689-5p89-6j3j"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/pull/145"
    },
    {
      "type": "WEB",
      "url": "https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/theopolis/uefi-firmware-parser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.