EDK2 Integer Overflow Vulnerability in iSCSI DXE Component Leading to Denial-of-Service

Vulnerability

A vulnerability exists in the EDK2 iSCSI DXE component, specifically in versions through 202502, where a user can cause an integer overflow or wraparound via network means. This vulnerability arises when the iSCSI 'Ready To Transfer' (R2T) Protocol Data Units (PDUs) are processed. The exploitation of this vulnerability can lead to a denial-of-service condition by causing the BIOS to reveal memory contents from the iSCSI target, creating a remote memory exposure issue.

Impact

Exploitation of this vulnerability causes a denial-of-service condition and allows for remote memory exposure, where memory contents are leaked from the BIOS to an iSCSI target.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.8

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

3.8

remediation

0.0

relevance

0.0

threat

4.8

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EDK2 Integer Overflow Vulnerability in iSCSI DXE Component Leading to Denial-of-Service

Vulnerability

Impact

Affected Products

EDK2

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating