| Name | CVE-2014-4860 |
| Description | Multiple integer overflows in the Pre-EFI Initialization (PEI) boot phase in the Capsule Update feature in the UEFI implementation in EDK2 allow physically proximate attackers to bypass intended access restrictions by providing crafted data that is not properly handled during the coalescing phase. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| edk2 (PTS) | buster | 0~20181115.85588389-3+deb10u3 | vulnerable |
| bullseye | 2020.11-2+deb11u1 | fixed |
| bullseye (security) | 2020.11-2+deb11u2 | fixed |
| bookworm | 2022.11-6 | fixed |
| bookworm (security) | 2022.11-6+deb12u1 | fixed |
| sid, trixie | 2024.02-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| edk2 | source | (unstable) | (not affected) | | | |
Notes
- edk2 <not-affected> (No support for updates of hypervisor-supplied firmware from guests)
https://www.mitre.org/sites/default/files/publications/14-2221-extreme-escalation-presentation.pdf