{"id":"CVE-2017-9763","details":"The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array.","modified":"2026-04-11T03:11:44.973954Z","published":"2017-06-19T16:29:00.797Z","related":["SUSE-SU-2019:13989-1","SUSE-SU-2021:14659-1"],"references":[{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99141"},{"type":"FIX","url":"https://github.com/radare/radare2/issues/7723"},{"type":"FIX","url":"http://git.savannah.gnu.org/cgit/grub.git/commit/grub-core/fs/ext2.c?id=ac8cac1dac50daaf1c390d701cca3b55e16ee768"},{"type":"FIX","url":"https://github.com/radare/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/radare/radare2","events":[{"introduced":"0"},{"last_affected":"91daa516ebf44f0bc422c1f6054a1938df16e25f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.5.0"}]}},{"type":"GIT","repo":"https://github.com/radareorg/radare2","events":[{"introduced":"0"},{"fixed":"65000a7fd9eea62359e6d6714f17b94a99a82edd"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.4-termux4","0.10.5","0.10.6","0.8.6","0.8.8","0.9","0.9.2","0.9.4","0.9.6","0.9.7","0.9.8","0.9.8-rc1","0.9.8-rc2","0.9.8-rc3","0.9.8-rc4","0.9.9","1.0","1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.2.0-git","1.3.0","1.3.0-git","1.4.0","1.5.0","radare2-windows-nightly","termux"],"database_specific":{"vanir_signatures_modified":"2026-04-11T03:11:44Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9763.json","vanir_signatures":[{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"read_foo","file":"shlr/grub/grubfs.c"},"signature_version":"v1","digest":{"function_hash":"50093018079397421244896597625361418417","length":376},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-05363d69"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"file":"shlr/grub/fs/fshelp.c"},"signature_version":"v1","digest":{"line_hashes":["186192924943756464181763555468864139430","55641443319602446229850769205920497332","280491680466794651509080843090589583145","335547032378663905044374140292899536908","84605424548030769826230501012879486515","204585601128743335604923370748394952071","274001338190221945543577377624447255821","29470823629993633763088166675509386907","77048903976461696628390808984920145068","108279792785668547282723233056326062797","30707623108428319697238147008768066209","17294681400476419472155064633915823995","318398608218744789927169278738284017550","54326198250660399117976150061382806738","284251345188455141154688292533486783701","239362451981981155886269902084539202684","99762480894482447437095134022924549038","11140299178830045788490440439895233252","127590469295486441905155672015917411150","47151762129937537056676130369946488748","279930666189319864152286659370523607874","98802950983847466185216709189637026064","253442857673114620266962356932518903308","104761907997859093466052376272933399319","122081251909522552226823932706268461821","108379032108172281178661483660725672545","195475526482436579877302625602072293734","47831699401726851470097140579044625237","22003009227386499766424784532167857822","118774765678929157706531352747980182379","298310316936785777164833107946358443393","47831699401726851470097140579044625237","19381685869748245634235453626177342162","264965909313579462550135299059727676152","271760460014754386516827933196152451829","28882823041337907541559222846338183804","121655865484876201030595111565188401603","267890882276940072979658247343151679827","301477685496130702639793581335712058051","276271754923964046551853808176987449618","240629441103717783030061037482148785443"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2017-9763-30cef2de"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"grub_ext2_read_block","file":"shlr/grub/fs/ext2.c"},"signature_version":"v1","digest":{"function_hash":"5358739801597375888075515559845817795","length":2187},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-3ab35a14"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"grubfs_free","file":"shlr/grub/grubfs.c"},"signature_version":"v1","digest":{"function_hash":"129736570694893583605147092088718139507","length":198},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-77232ba6"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"grub_ext4_find_leaf","file":"shlr/grub/fs/ext2.c"},"signature_version":"v1","digest":{"function_hash":"46771588241065082909032980171406297743","length":668},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-87e330d2"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"file":"shlr/grub/grubfs.c"},"signature_version":"v1","digest":{"line_hashes":["301058715867216620952357061448243191514","95149947176210170162992520935503454731","132574218014218162798985651534673233816","69581920306702710679602574438468967729","158838712395356516446770924811570755577","252436078407093388975137781070473915337","103249973437406645692632666767422217783","335238160071602887485396467765459579975","45219350962703362658246956591640021443","197391091661932353348121682841742408171","264216382799603318970090638930130780002","266798217376443730594157728320867802561","288272531172043511039197895838433884727","4737624621383553246422969282198505386","204150256656752719418810262271837195326","323865594284602165293588027599854069323","38401682018253032932776900050501333642","291940168772362371677276577506363654715","324765301828350707043440277804321143201","177854177138054263145304018668756461331"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2017-9763-b8aded61"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"find_file","file":"shlr/grub/fs/fshelp.c"},"signature_version":"v1","digest":{"function_hash":"332445747652689894180029897440306037795","length":1719},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-c21d99df"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"file":"shlr/grub/fs/ext2.c"},"signature_version":"v1","digest":{"line_hashes":["339525229199748344290306345503478282620","222200389505852733429193073323250185356","241504787028611616403329624348211765919","300868003450100860965984208983154631816","133924978023570486647487948296431157060","116526699751831409135158280023540613869","98656652165235080782174240723440839108","250070622313891370584916767660052046160","320312120450066058439396168058639583273","289541844095405112220300656285201283925","260298490242029182887304412681667944029","37557710624163169337518233377207711241","180653810247347581706092354112883108636","204126317663260488601069231273482163197","75386587373905772987496838439160876932","61686710178683975765411909850400562778","48221508099920276607001464292899339440","240529355594163499949914149342415906588","277805534490562885367708533888553808947","172548295353743586125322308962435348870","304429506354674013109940295315050924325","250845774893524231477134835523263252724","94551862412227510193880087356730407773","149477982235669364471824842658424639243","109083218170280104576082492087249981827","136557719443355028256319333696975871943","271508103359918646144132622510414164520","329826293897495945217844226993021540649","244642770564537728406410155355067334838","39370405049754942690940293290980257575","84218656446447908750975530722631681420","253002013232070758586008306802944247872","322223387899653965601138368812335333193","57604709919998006505632448644109607117","102557247731171514275284393477393818176","330655791419397568051619500332449745290","116259935465662466563075465913121780609","50177346325997542293718714144850977424","110343528105602764548968639607288225555","191467395003722974702880442325933277694","144242204795801978964019603399297405006","328063764706946413710982618754664150797","338653582432801382940331992819578743908","280721982483138478719227712595574790498","266775025380469224405754609724409309334","262772942434220355650585730651901261658","330655791419397568051619500332449745290","116259935465662466563075465913121780609","50177346325997542293718714144850977424","63613608119732956511887306772346846910","86487691068456914593190850403400069125","112867775805365609308557368406444010804","250117557131860238322385124442065600496","213147082822050059025578530083050642289","292408406052302025128060191803498650382","263838061741008275256673970016128725541","188148200181771781323289339721508477982","159446248825788274992468365536101017880","231056573439990664475065955470963898591","217533202220890909073126440175194769576","289002263518547638810109023663292739815","154077834138900797051979678854888060103"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2017-9763-df891239"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"function":"cmd_mount","file":"libr/core/cmd_mount.c"},"signature_version":"v1","digest":{"function_hash":"92403959334808391447369127527452268512","length":5053},"signature_type":"Function","deprecated":false,"id":"CVE-2017-9763-e1e9b44d"},{"source":"https://github.com/radareorg/radare2/commit/65000a7fd9eea62359e6d6714f17b94a99a82edd","target":{"file":"libr/core/cmd_mount.c"},"signature_version":"v1","digest":{"line_hashes":["17066276163921448757478639219495715351","154923386017967576517042052477700171379","125375790013521855693078949107827100802","203821503403614395967185205454342553505","120856451280034629035729055038681603043","295482430608757597300479880042768388257","108516260192474873094970822548966153283","329822881746955285835430064333303546047","67556828127070464624648406910241327830","197973765968362250097320823795265037913","74282516914068957685065426267196447948","116235760885631058641636323301341626793","19812639229312197322467841948373886001","123666584445769013547712792293249392704","38695699109056972736632725240214444018"],"threshold":0.9},"signature_type":"Line","deprecated":false,"id":"CVE-2017-9763-f4ea7da1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}