CVE-2023-45232

NameCVE-2023-45232
DescriptionEDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1061256

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
edk2 (PTS)buster0~20181115.85588389-3+deb10u3vulnerable
bullseye2020.11-2+deb11u1vulnerable
bullseye (security)2020.11-2+deb11u2vulnerable
bookworm2022.11-6vulnerable
bookworm (security)2022.11-6+deb12u1fixed
trixie2023.11-8fixed
sid2024.02-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
edk2sourcebookworm2022.11-6+deb12u1
edk2source(unstable)2023.11-61061256

Notes

[bullseye] - edk2 <no-dsa> (Minor issue)
https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
https://www.openwall.com/lists/oss-security/2024/01/16/2

Search for package or bug name: Reporting problems