vulnerability

Arch Linux: Out-of-bounds Write (CVE-2022-28734)

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:N/C:C/I:C/A:C)	Jul 20, 2023	Jul 11, 2025	Jan 16, 2026

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Jul 20, 2023

Added

Jul 11, 2025

Modified

Jan 16, 2026

Description

When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It's conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2's internal memory metadata.

Solution

arch-linux-upgrade-latest

References

CVE-2022-28734
https://attackerkb.com/topics/CVE-2022-28734
URL-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28734
URL-https://security.netapp.com/advisory/ntap-20230825-0002/
URL-https://www.openwall.com/lists/oss-security/2022/06/07/5
CWE-787

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today