There an out-of-bounds read at fs/ntfs.c, a physically present attacker may leverage that by presenting a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack may allow sensitive data cached in memory or EFI variables values to be leaked presenting a high Confidentiality risk.
Created grub2 tracking bugs for this issue: Affects: fedora-all [bug 2241976]
Upstream patch for this issue: https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00030.html
This is duplicating https://issues.redhat.com/browse/RHEL-11569 which is now set to RELEASE PENDING. I believe this can be closed.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2456 https://access.redhat.com/errata/RHSA-2024:2456
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3184 https://access.redhat.com/errata/RHSA-2024:3184