Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
UEFI Firmware Parser Can Crash or Be Hacked
GHSA-2689-5p89-6j3j
Summary
The UEFI Firmware Parser is prone to a critical flaw that can cause it to crash or be exploited by hackers. This is due to a bug in how it handles certain types of firmware data. To fix this, the developers have released a patch that you should apply to your system to prevent crashes and potential security breaches.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | uefi-firmware | <= 1.12 |
Original title
UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable
Original description
`uefi-firmware` contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `MakeTable()` does not validate that bit-length values read from the compressed bitstream are within the expected range (`0..16`). a crafted firmware blob can supply bit lengths greater than `16`, causing out-of-bounds writes to the stack-allocated `Count[17]` array and related decode tables.
reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `ReadPTLen()` -> `MakeTable()`.
Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
References:
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>
- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>
- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
reachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `ReadPTLen()` -> `MakeTable()`.
Minimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
References:
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>
- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>
- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
ghsa CVSS3.1
9.8
Vulnerability type
CWE-787
Out-of-bounds Write
Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026