CVE-2021-28210
edk2: unlimited FV recursion, round 2
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An unlimited recursion in DxeCore in EDK II.
Una recursiĆ³n ilimitada en la funciĆ³n DxeCore en EDK II
A flaw was found in edk2. An unlimited recursion in DxeCore may allow an attacker to corrupt the system memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
It was discovered that EDK II did not check the buffer length in XHCI, which could lead to a stack overflow. A local attacker could potentially use this issue to cause a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. Laszlo Ersek discovered that EDK II incorrectly handled recursion. A remote attacker could possibly use this issue to cause EDK II to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-12 CVE Reserved
- 2021-04-02 CVE Published
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- 2025-07-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-674: Uncontrolled Recursion
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.tianocore.org/show_bug.cgi?id=1743 | 2024-08-03 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-28210 | 2021-11-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1883552 | 2021-11-09 |