{
  "threat_severity" : "Moderate",
  "public_date" : "2024-01-16T00:00:00Z",
  "bugzilla" : {
    "description" : "edk2: Infinite loop when parsing a PadN option in the Destination Options header",
    "id" : "2258694",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2258694"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-835",
  "details" : [ "EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6. This\nvulnerability can be exploited by an attacker to gain unauthorized \naccess and potentially lead to a loss of Availability.", "The Network Package in EDK2 is vulnerable to an infinite loop exploit when parsing a PadN option within the Destination Options header of IPv6. This flaw allows an unauthorized attacker to gain access and potentially result in a loss of system availability." ],
  "statement" : "The identified vulnerability in EDK2's Network Package poses a moderate risk due to an infinite loop in the Ip6IsOptionValid function, specifically when parsing a PadN option in the Destination Options header of an IPv6 packet. This flaw occurs because the addition of 0x100 to the Offset variable is truncated to a UINT8, resulting in an unmodified Offset. As a consequence of this infinite loop, the affected computer never finishes booting up.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-05-22T00:00:00Z",
    "advisory" : "RHSA-2024:3017",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "edk2-0:20220126gitbb1bba3d77-13.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-10-15T00:00:00Z",
    "advisory" : "RHSA-2024:8104",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "edk2-0:20220126gitbb1bba3d77-4.el8_8.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-04-30T00:00:00Z",
    "advisory" : "RHSA-2024:2264",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "edk2-0:20231122-6.el9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-45233\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-45233\nhttps://blog.quarkslab.com/pixiefail-nine-vulnerabilities-in-tianocores-edk-ii-ipv6-network-stack.html\nhttps://github.com/advisories/GHSA-p9h6-p7cr-7842" ],
  "name" : "CVE-2023-45233",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}