{"id":"UBUNTU-CVE-2020-27779","details":"A flaw was found in grub2 in versions prior to 2.06. The cutmem command does not honor secure boot locking allowing an privileged attacker to remove address ranges from memory creating an opportunity to circumvent SecureBoot protections after proper triage about grub's memory layout. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.","modified":"2026-02-04T03:46:06.647349Z","published":"2021-03-02T18:00:00Z","related":["USN-4992-1"],"upstream":["CVE-2020-27779"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-27779"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4992-1"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2020-27779"}],"affected":[{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.34.24?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.22","1.23","1.24","1.25","1.26","1.27","1.30","1.31","1.32","1.33","1.34","1.34.1","1.34.2","1.34.3","1.34.4","1.34.5","1.34.6","1.34.7","1.34.8","1.34.9","1.34.13","1.34.14","1.34.16","1.34.17","1.34.18","1.34.20","1.34.22","1.34.24"],"ecosystem_specific":{"binaries":[{"binary_version":"1.34.24+2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27779.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.167~18.04.5?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.167~18.04.5"}]}],"versions":["1.85","1.86","1.87","1.89","1.91","1.92","1.93","1.93.1","1.93.2","1.93.3","1.93.4","1.93.5","1.93.7","1.93.8","1.93.10","1.93.11","1.93.13","1.93.14","1.93.15","1.93.16","1.93.18","1.93.19","1.93.20","1.93.21","1.93.22","1.93.24","1.167~18.04.1","1.167~18.04.3"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.167~18.04.5+2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.167~18.04.5+2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27779.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.04-1ubuntu44.1.2?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.04-1ubuntu44.1.2"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27779.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.167.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.167.2"}]}],"versions":["1.128","1.129","1.130","1.131","1.133","1.134","1.135","1.136","1.137","1.138","1.139","1.140","1.141","1.142","1.142.1","1.142.3","1.142.4","1.142.5","1.142.6","1.142.8","1.142.9","1.142.10","1.142.11","1.167"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"1.167.2+2.04-1ubuntu44.2","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.167.2+2.04-1ubuntu44.2","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27779.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.04-1ubuntu44.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.04-1ubuntu44.2"}]}],"versions":["2.04-1ubuntu44"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.04-1ubuntu44.2","binary_name":"grub-efi-amd64"},{"binary_version":"2.04-1ubuntu44.2","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.04-1ubuntu44.2","binary_name":"grub-efi-arm64"},{"binary_version":"2.04-1ubuntu44.2","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2020/UBUNTU-CVE-2020-27779.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}