CVE-2025-0677

EUVD-2025-4654

19.02.2025, 19:15

A flaw was found in grub2. When performing a symlink lookup, the grub's UFS module checks the inode's data size to allocate the internal buffer to read the file content, however, it fails to check if the symlink data size has overflown. When this occurs, grub_malloc() may be called with a smaller value than needed. When further reading the data from the disk into the buffer, the grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack can leverage this by crafting a malicious filesystem, and as a result, it will corrupt data stored in the heap, allowing for arbitrary code execution used to by-pass secure boot mechanisms.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 13%

Debian Releases

Debian Product

Codename

grub2

bookworm	2.06-13+deb12u2 fixed
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.14-2 fixed
sid	2.14-2 fixed
trixie	2.12-9+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

grub2

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-arm64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-i386-pc

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-powerpc-ieee1275

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-s390x-emu

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-snapper-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-systemd-sleep-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-xen

suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed

Red Hat Enterprise Linux Releases

Red Hat Product

Release

grub2-common

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-aa64

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-aa64-cdboot

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-aa64-modules

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-x64

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-x64-cdboot

RHEL 9

1:2.06-104.el9_6

fixed

grub2-efi-x64-modules

RHEL 9

1:2.06-104.el9_6

fixed

grub2-pc

RHEL 9

1:2.06-104.el9_6

fixed

grub2-pc-modules

RHEL 9

1:2.06-104.el9_6

fixed

grub2-ppc64le

RHEL 9

1:2.06-104.el9_6

fixed

grub2-ppc64le-modules

RHEL 9

1:2.06-104.el9_6

fixed

grub2-tools

RHEL 9

1:2.06-104.el9_6

fixed

grub2-tools-efi

RHEL 9

1:2.06-104.el9_6

fixed

grub2-tools-extra

RHEL 9

1:2.06-104.el9_6

fixed

grub2-tools-minimal

RHEL 9

1:2.06-104.el9_6

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/errata/RHSA-2025:16154

https://access.redhat.com/errata/RHSA-2025:6990

https://access.redhat.com/security/cve/CVE-2025-0677

https://bugzilla.redhat.com/show_bug.cgi?id=2346116

https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html