GHSA-hm2w-vr2p-hq7w: UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen
uefi-firmware contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in uefi_firmware/compression/Tiano/Decompress.c, ReadCLen() reads Number = GetBits(Sd, CBIT) with CBIT = 9, so Number can be as large as 511, while the destination array Sd->mCLen has NC = 510 elements. the loop writes while Index < Number without enforcing Index < NC. additionally, the CharC == 2 run-length path performs GetBits(Sd, 9) + 20, allowing up to 531 zero writes through Sd->mCLen[Index++] = 0.
Reachability is through the normal parsing path: CompressedSection.process() -> efi_compressor.TianoDecompress() -> TianoDecompress() -> DecodeC() -> ReadCLen().
Minimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.
- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>
- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>
- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735
Details
Original advisory: https://github.com/advisories/GHSA-hm2w-vr2p-hq7w
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54334 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10