GHSA-HM2W-VR2P-HQ7W: GHSA-HM2W-VR2P-HQ7W: Heap Out-of-Bounds Write in uefi-firmware-parser Tiano Decompressor

#security #cve #cybersecurity #ghsa

GHSA-HM2W-VR2P-HQ7W: Heap Out-of-Bounds Write in uefi-firmware-parser Tiano Decompressor

Vulnerability ID: GHSA-HM2W-VR2P-HQ7W
CVSS Score: 9.8
Published: 2026-04-16

A critical heap-based out-of-bounds write vulnerability exists in the Tiano/EFI decompression algorithm of the uefi-firmware-parser library. An attacker can supply a maliciously crafted compressed EFI file to corrupt heap memory, leading to potential arbitrary code execution or denial of service.

TL;DR

The uefi-firmware-parser library lacks bounds checking in its Tiano decompressor (ReadCLen function). This allows an attacker to write past the bounds of internal arrays on the heap via a crafted compressed file, achieving arbitrary code execution or DoS. Users must update to version 1.13.

Technical Details

CWE ID: CWE-787
Attack Vector: Network
CVSS Score: 9.8
Impact: Remote Code Execution / Denial of Service
Exploit Status: No public PoC
KEV Status: Not Listed

Affected Systems

uefi-firmware-parser (GitHub)
uefi_firmware (PyPI)
uefi-firmware-parser: < 1.13 (Fixed in: 1.13)

Code Analysis

Commit: bf3dfaa

Apply hardening fixes from upstream Tiano implementation

Mitigation Strategies

Upgrade the uefi-firmware-parser component to version 1.13 or later.
Run firmware parsing tasks inside heavily restricted, ephemeral sandboxes (e.g., gVisor, restricted Docker containers).
Validate the integrity and source of UEFI firmware volumes before subjecting them to deep analysis.

Remediation Steps:

Identify all projects and virtual environments utilizing the uefi_firmware PyPI package.
Update the project dependencies to specify uefi_firmware>=1.13.
Rebuild and redeploy application containers and continuous integration pipelines.
Verify the installed version by running pip show uefi_firmware in target environments.