CVE 2022-28737
There's a possible overflow in handle_image() when shim tries to load and execute crafted EFI executables; The handle_image() function takes into account the SizeOfRawData field from each section to be loaded. An attacker can leverage this to perform out-of-bound writes into memory. Arbitrary code execution is not discarded in such scenario.
Related bugs and status
CVE-2022-28737 (Candidate) is related to these bugs:
Bug #1987541: shim executes GRUB w/ dirty instruction cache on arm64
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1987541 | shim executes GRUB w/ dirty instruction cache on arm64 | shim (Ubuntu) | High | Fix Released | ||
| 1987541 | shim executes GRUB w/ dirty instruction cache on arm64 | shim (Ubuntu Kinetic) | Undecided | Fix Released | ||
| 1987541 | shim executes GRUB w/ dirty instruction cache on arm64 | shim (Ubuntu Jammy) | Undecided | Fix Released | ||
| 1987541 | shim executes GRUB w/ dirty instruction cache on arm64 | shim (Ubuntu Focal) | Undecided | Fix Released | ||
| 1987541 | shim executes GRUB w/ dirty instruction cache on arm64 | shim (Ubuntu Bionic) | Undecided | Fix Released | ||
Bug #1995852: shim TDX enablement
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1995852 | shim TDX enablement | shim (Ubuntu) | Undecided | Fix Released | ||
| 1995852 | shim TDX enablement | shim (Ubuntu Kinetic) | Undecided | Fix Released | ||
| 1995852 | shim TDX enablement | shim (Ubuntu Jammy) | Undecided | Fix Released | ||
| 1995852 | shim TDX enablement | shim (Ubuntu Focal) | Undecided | Fix Released | ||
| 1995852 | shim TDX enablement | shim (Ubuntu Bionic) | Undecided | Fix Released | ||
Bug #1996503: shim 15.7-0ubuntu1
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 1996503 | shim 15.7-0ubuntu1 | shim (Ubuntu) | Undecided | Fix Committed | ||
| 1996503 | shim 15.7-0ubuntu1 | shim (Ubuntu Kinetic) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim-signed (Ubuntu) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim (Ubuntu Jammy) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim-signed (Ubuntu Jammy) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim (Ubuntu Focal) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim-signed (Ubuntu Focal) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim-signed (Ubuntu Bionic) | Undecided | Fix Released | ||
| 1996503 | shim 15.7-0ubuntu1 | shim-signed (Ubuntu Kinetic) | Undecided | Fix Released | ||
Bug #2004201: is-not-revoked does not handle gzip'd kernels
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2004201 | is-not-revoked does not handle gzip'd kernels | shim-signed (Ubuntu) | Undecided | Fix Released | ||
| 2004201 | is-not-revoked does not handle gzip'd kernels | shim-signed (Ubuntu Kinetic) | Undecided | Fix Released | ||
| 2004201 | is-not-revoked does not handle gzip'd kernels | shim-signed (Ubuntu Jammy) | Undecided | Fix Released | ||
| 2004201 | is-not-revoked does not handle gzip'd kernels | shim-signed (Ubuntu Focal) | Undecided | Fix Released | ||
| 2004201 | is-not-revoked does not handle gzip'd kernels | shim-signed (Ubuntu Bionic) | Undecided | Fix Released | ||
Bug #2004208: arm64 package has hardcoded x64 references
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2004208 | arm64 package has hardcoded x64 references | shim-signed (Ubuntu) | Undecided | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | shim-signed (Ubuntu Focal) | Undecided | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | shim-signed (Ubuntu Bionic) | Undecided | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | shim-signed (Ubuntu Kinetic) | Undecided | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | shim-signed (Ubuntu Jammy) | Undecided | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | canonical-signing-jobs | High | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | canonical-signing-jobs task00 | Medium | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | canonical-signing-jobs task01 | Medium | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | canonical-signing-jobs task02 | Medium | Fix Released | ||
| 2004208 | arm64 package has hardcoded x64 references | canonical-signing-jobs task03 | Medium | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
