CVE 2022-28735
The GRUB2's shim_lock verifier allows non-kernel files to be loaded on shim-powered secure boot systems. Allowing such files to be loaded may lead to unverified code and modules to be loaded in GRUB2 breaking the secure boot trust-chain.
Related bugs and status
CVE-2022-28735 (Candidate) is related to these bugs:
Bug #1926748: regression in xenial updates - grub2 cannot handle new arm64 relocations
Bug #1930742: cloud images in xenial do not get their boot path updated because we don't call grub-install --force-extra-removable
Bug #2008950: Missing modules on arm64 builds of monolithic grub
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2008950 | Missing modules on arm64 builds of monolithic grub | grub2 (Ubuntu) | Undecided | Fix Released | ||
Bug #2028947: grub2-unsigned/2.12~rc1-4ubuntu1 signing
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2028947 | grub2-unsigned/2.12~rc1-4ubuntu1 signing | grub2-unsigned (Ubuntu) | Undecided | Fix Released | ||
| 2028947 | grub2-unsigned/2.12~rc1-4ubuntu1 signing | canonical-signing-jobs | Undecided | Fix Released | ||
| 2028947 | grub2-unsigned/2.12~rc1-4ubuntu1 signing | grub2-signed (Ubuntu) | Undecided | Fix Released | ||
| 2028947 | grub2-unsigned/2.12~rc1-4ubuntu1 signing | canonical-signing-jobs task00 | Medium | Fix Released | ||
| 2028947 | grub2-unsigned/2.12~rc1-4ubuntu1 signing | grub2 (Ubuntu) | Undecided | Fix Released | ||
Bug #2034119: [Debian] High CVE: CVE-2021-3695/CVE-2021-3696/CVE-2021-3697/CVE-2022-28733/CVE-2022-28734/CVE-2022-28735/CVE-2022-28736 grub2: multiple CVEs
| Summary | In | Importance | Status | |||
|---|---|---|---|---|---|---|
| 2034119 | [Debian] High CVE: CVE-2021-3695/CVE-2021-3696/CVE-2021-3697/CVE-2022-28733/CVE-2022-28734/CVE-2022-28735/CVE-2022-28736 grub2: multiple CVEs | StarlingX | High | Fix Released | ||
See the 
CVE page on Mitre.org
for more details.
