Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
UEFI Firmware Parser May Crash or Allow Malicious Code Execution
GHSA-hm2w-vr2p-hq7w
Summary
The UEFI Firmware Parser has a flaw that can cause a crash or allow an attacker to run malicious code on a computer. This issue affects the UEFI Firmware Parser, a tool used to work with UEFI firmware files. To protect your systems, update the UEFI Firmware Parser to the latest version, which has fixed this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | uefi-firmware | <= 1.12 |
Original title
UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
Original description
`uefi-firmware` contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `ReadCLen()` reads `Number = GetBits(Sd, CBIT)` with `CBIT = 9`, so `Number` can be as large as `511`, while the destination array `Sd->mCLen` has `NC = 510` elements. the loop writes while `Index < Number` without enforcing `Index < NC`. additionally, the `CharC == 2` run-length path performs `GetBits(Sd, 9) + 20`, allowing up to `531` zero writes through `Sd->mCLen[Index++] = 0`.
Reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `DecodeC()` -> `ReadCLen()`.
Minimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>
- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>
- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
Reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `DecodeC()` -> `ReadCLen()`.
Minimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>
- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>
- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
ghsa CVSS3.1
9.8
Vulnerability type
CWE-787
Out-of-bounds Write
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026