CVE-2023-45232

NameCVE-2023-45232
DescriptionEDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1061256

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
edk2 (PTS)bullseye (security), bullseye2020.11-2+deb11u2vulnerable
bookworm, bookworm (security)2022.11-6+deb12u1fixed
sid, trixie2024.11-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
edk2sourcebookworm2022.11-6+deb12u1
edk2source(unstable)2023.11-61061256

Notes

[bullseye] - edk2 <no-dsa> (Minor issue)
[buster] - edk2 <no-dsa> (Minor issue)
https://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html
https://www.openwall.com/lists/oss-security/2024/01/16/2

Search for package or bug name: Reporting problems