GHSA-2689-5p89-6j3j

Source

https://github.com/advisories/GHSA-2689-5p89-6j3j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2689-5p89-6j3j/GHSA-2689-5p89-6j3j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2689-5p89-6j3j

Published

2026-04-16T01:30:48Z

Modified

2026-04-16T01:48:31.869758Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable

Details

uefi-firmware contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, MakeTable() does not validate that bit-length values read from the compressed bitstream are within the expected range (0..16). a crafted firmware blob can supply bit lengths greater than 16, causing out-of-bounds writes to the stack-allocated Count[17] array and related decode tables.

reachability is through the normal parsing path: CompressedSection.process() -> efi_compressor.TianoDecompress() -> TianoDecompress() -> ReadPTLen() -> MakeTable().

Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.

References:

PR: https://github.com/theopolis/uefi-firmware-parser/pull/145
fix commit: https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e
upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735

Database specific

{
    "github_reviewed_at": "2026-04-16T01:30:48Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-787"
    ],
    "nvd_published_at": null,
    "severity": "CRITICAL"
}

References

Affected packages

PyPI / uefi-firmware

Package

Name: uefi-firmware; View open source insights on deps.dev
Purl: pkg:pypi/uefi-firmware

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.12

Affected versions

1.*

1.1

1.2

1.3

1.4

1.6

1.7

1.8

1.9

1.10

1.11

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-2689-5p89-6j3j/GHSA-2689-5p89-6j3j.json"