uefi-firmware, Stack out-of-bounds write, CVE(N/A) (Medium)

Listen to this Post

The vulnerability resides in the `MakeTable()` function of the native Tiano/EFI decompressor used by the `uefi-firmware` Python package. The flaw is triggered when the decompressor processes a specially crafted firmware blob. The function `MakeTable()` reads bit-length values from a compressed bitstream but does not validate that these values fall within the expected range of 0 to 16 inclusive. An attacker can supply bit-length values greater than 16, which causes an out-of-bounds write to the stack-allocated `Count

` array and other decode tables. The exploitation path is reachable through the normal parsing flow: `CompressedSection.process()` → `efi_compressor.TianoDecompress()` → `TianoDecompress()` → `ReadPTLen()` → <code>MakeTable()</code>. The minimum impact is a deterministic crash, but under certain build or runtime conditions, the stack corruption can be escalated to achieve arbitrary code execution within the context of the parsing process. The `uefi-firmware` project shipped its own copy of the decompressor without the upstream EDK2 hardening patches that address this class of vulnerability. The advisory for this issue was published on April 16, 2026, and the fix commit is available in the project's repository.

<h2 style="color: blue;">DailyCVE Form:</h2>

Platform: `uefi-firmware`
Version: `<=1.12`
Vulnerability: `Stack out-of-bounds write`
Severity: `Medium`
Date: `2026-04-16`


<h2 style="color: blue;">Prediction: `2026-04-16`</h2>

<h2 style="color: blue;">What Undercode Say:</h2>

Analytics indicate that the absence of input validation on bit-length values in the decompression routine is a direct copy of a known bug class from the original EDK2 codebase. The following commands can be used to detect or mitigate the issue.
[bash]
Check if the vulnerable version of uefi-firmware is installed
pip show uefi-firmware | grep Version
Verify if the installed version is vulnerable (<=1.12)
python -c "import uefi_firmware; print(uefi_firmware.<strong>version</strong>)"
Test a known good firmware blob for decompression issues
uefi-firmware-parser -e -o /tmp/out /path/to/firmware.bin
Apply the hardening patch from the upstream commit
git clone https://github.com/theopolis/uefi-firmware-parser
cd uefi-firmware-parser
git checkout bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e
pip install .

Exploit:

A remote attacker with the ability to supply a crafted UEFI firmware image can trigger the vulnerability. The exploit requires crafting a firmware blob where the bit-length values in the compressed data exceed 16, leading to out-of-bounds writes. The attacker can then leverage the resulting memory corruption for denial of service or, potentially, arbitrary code execution.

Protection from this CVE:

  • Upgrade to a patched version of `uefi-firmware` (version >1.12 or any version including the fix commit bf3dfaa).
  • Input validation: Implement external checks on firmware blobs before passing them to the parser.
  • Use a sandbox or isolated environment for parsing untrusted UEFI firmware to limit the impact of exploitation.
  • Monitor for known exploit patterns in compressed firmware sections.

Impact:

  • Denial of Service (DoS): The most immediate impact is a crash of the parsing process.
  • Potential Code Execution: Under specific conditions, the stack-based out-of-bounds write may be chained into a working exploit for arbitrary code execution, compromising the system’s integrity.
  • Supply Chain Risk: Since this parser is used in analysis tools, a compromised firmware image could lead to lateral movement in environments where the tool is used on untrusted input.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top