Shim: out-of-bound read in verify_buffer_sbat()
Description
An out-of-bounds read in Shim's SBAT validation may leak sensitive memory during system boot, affecting multiple Red Hat Enterprise Linux versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in Shim's SBAT validation may leak sensitive memory during system boot, affecting multiple Red Hat Enterprise Linux versions.
Vulnerability
An out-of-bounds read flaw exists in Shim, a first-stage UEFI boot loader, when it validates the SBAT (Secure Boot Advanced Targeting) information. This vulnerability affects Shim versions prior to the fix provided in Red Hat Enterprise Linux 8.6 Extended Update Support and other affected products. The issue is triggered during the boot phase when Shim processes malformed SBAT data [2][4].
Exploitation
An attacker with physical access or the ability to control the boot process (e.g., by supplying a crafted SBAT policy or malicious boot media) could trigger the out-of-bounds read. No elevated privileges are required once the attacker can influence the boot chain; the flaw manifests during legitimate SBAT validation [2][4].
Impact
Successful exploitation leads to an out-of-bounds read, which may expose sensitive data from memory during the system boot phase. The information disclosure could include cryptographic material or other secrets used by the boot process, potentially weakening Secure Boot guarantees. The vulnerability does not directly enable code execution but increases the attack surface for further compromise [1][2].
Mitigation
Red Hat has released security updates for Shim as part of RHSA-2024:1903, RHSA-2024:1959, and RHSA-2024:2086, which were published on 2024-01-29 and 2024-04-29. These updates address the out-of-bounds read by correcting the boundary checks in the verify_buffer_sbat() function. Affected systems should apply the latest shim packages from their respective updates. No workaround is documented; users must upgrade to fixed versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of publication [1][3][4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- Red Hat/Red Hat Enterprise Linux 9.0 Extended Update Supportv5cpe:/a:redhat:rhel_eus:9.0::appstreamRange: 0:15.8-2.el9
cpe:/o:redhat:enterprise_linux:7::server+ 2 more
- cpe:/o:redhat:enterprise_linux:7::serverrange: 0:15.8-1.el7
- cpe:/o:redhat:enterprise_linux:8::baseosrange: 0:15.8-4.el8_9
- cpe:/o:redhat:enterprise_linux:9::baseosrange: 0:15.8-4.el9_3
cpe:/o:redhat:rhel_aus:8.4::baseos+ 1 more
- cpe:/o:redhat:rhel_aus:8.4::baseosrange: 0:15.8-2.el8_4
- cpe:/o:redhat:rhel_tus:8.2::baseosrange: 0:15.8-2.el8_2
- Red Hat/Red Hat Enterprise Linux 8.6 Extended Update Supportv5cpe:/o:redhat:rhel_eus:8.6::baseosRange: 0:15.8-2.el8_6
- Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Supportv5cpe:/o:redhat:rhel_eus:8.8::baseosRange: 0:15.8-2.el8
- Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5cpe:/o:redhat:rhel_eus:9.2::baseosRange: 0:15.8-3.el9_2
- osv-coords29 versionspkg:rpm/almalinux/shim-aa64pkg:rpm/almalinux/shim-ia32pkg:rpm/almalinux/shim-x64pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/shim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/pcr-oracle&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/shim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/shim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/shim&distro=SUSE%20Linux%20Micro%206.0pkg:rpm/suse/shim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/shim&distro=SUSE%20Manager%20Server%204.3
< 15.8-4.el8_9.alma.1+ 28 more
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-4.el8_9.alma.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 0.4.6-2.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-25.30.1
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-25.30.1
- (no CPE)range: < 15.8-150100.3.38.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-1.1
- (no CPE)range: < 15.8-150300.4.20.2
- (no CPE)range: < 15.8-150300.4.20.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- access.redhat.com/errata/RHSA-2024:1834mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1835mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1873mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1876mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1883mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1902mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1903mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:1959mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:2086mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-40550mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
News mentions
0No linked articles in our index yet.