Shim: interger overflow leads to heap buffer overflow in verify_sbat_section on 32-bits systems
Description
A heap-buffer-overflow in Shim's 32-bit UEFI boot loader allows an attacker to corrupt memory during secure boot via a crafted PE binary.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in Shim's 32-bit UEFI boot loader allows an attacker to corrupt memory during secure boot via a crafted PE binary.
Vulnerability
Shim, a first-stage UEFI boot loader used in secure boot environments, contains a heap-based buffer overflow in its 32-bit code path. The vulnerability occurs when an addition operation using a user-controlled value parsed from a PE binary is used for memory allocation. This leads to memory corruption when processing the SBAT section on 32-bit systems. Affected versions include all Shim builds prior to the patches released in Red Hat Enterprise Linux advisories RHSA-2024:1903, RHSA-2024:1959, and RHSA-2024:2086 [1], [2], [3], [4].
Exploitation
An attacker with the ability to supply a crafted PE binary during the boot process (e.g., via a malicious boot loader or a compromised boot medium) can trigger the overflow. The attacker does not need authenticated access to the operating system itself; physical access or control over the boot chain is required. By manipulating the value that controls memory allocation, the attacker can cause a heap overflow, which may lead to controlled memory corruption [2].
Impact
Successful exploitation results in memory corruption during the early boot phase, potentially leading to a system crash or data integrity issues. In a more severe scenario, the overflow could be leveraged to bypass Secure Boot protections, allowing an attacker to load unsigned code and gain persistent control over the boot process. The vulnerability is rated Important by Red Hat [2], [4].
Mitigation
Red Hat released fixes for CVE-2023-40548 as part of shim updates in April 2024: RHSA-2024:1903 (for RHEL 8), RHSA-2024:1959 (for RHEL 9), and RHSA-2024:2086 (for RHEL 8.6 Extended Update Support) [1], [3], [4]. System administrators should update the shim package to the patched version. No workaround is documented; updating is the recommended mitigation. There is no evidence that this CVE is listed in the Known Exploited Vulnerabilities catalog.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Supportv5cpe:/a:redhat:rhel_eus:8.8::crbRange: 0:15.8-2.el8
- Red Hat/Red Hat Enterprise Linux 9.0 Extended Update Supportv5cpe:/a:redhat:rhel_eus:9.0::appstreamRange: 0:15.8-2.el9
cpe:/o:redhat:enterprise_linux:7::server+ 2 more
- cpe:/o:redhat:enterprise_linux:7::serverrange: 0:15.8-1.el7
- cpe:/o:redhat:enterprise_linux:8::baseosrange: 0:15.8-4.el8_9
- cpe:/o:redhat:enterprise_linux:9::baseosrange: 0:15.8-4.el9_3
cpe:/o:redhat:rhel_e4s:8.2::baseos+ 1 more
- cpe:/o:redhat:rhel_e4s:8.2::baseosrange: 0:15.8-2.el8_2
- cpe:/o:redhat:rhel_e4s:8.4::baseosrange: 0:15.8-2.el8_4
- Red Hat/Red Hat Enterprise Linux 8.6 Extended Update Supportv5cpe:/o:redhat:rhel_eus:8.6::baseosRange: 0:15.8-2.el8_6
- Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5cpe:/o:redhat:rhel_eus:9.2::baseosRange: 0:15.8-3.el9_2
- osv-coords29 versionspkg:rpm/almalinux/shim-aa64pkg:rpm/almalinux/shim-ia32pkg:rpm/almalinux/shim-x64pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/pcr-oracle&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/shim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/shim&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/shim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/shim&distro=SUSE%20Manager%20Server%204.3
< 15.8-4.el8_9.alma.1+ 28 more
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 0.4.6-2.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-25.30.1
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-25.30.1
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-1.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- access.redhat.com/errata/RHSA-2024:1834mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1835mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1873mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1876mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1883mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1902mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1903mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1959mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:2086mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-40548mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.