CVE-2025-0686

EUVD-2025-5576

03.03.2025, 18:15

A flaw was found in grub2. When performing a symlink lookup from a romfs filesystem, grub's romfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the grub_romfs_read_symlink() may cause out-of-bounds writes when the calling grub_disk_read() function. This issue may be leveraged to corrupt grub's internal critical data and can result in arbitrary code execution by-passing secure boot protections.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.4 MEDIUM	LOCAL	HIGH	HIGH	CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 18%

Affected Products (NVD)

Vendor	Product	Version
gnu	grub2	𝑥 ≤ 2.12

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

grub2

bookworm	2.06-13+deb12u2 fixed
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.14-2 fixed
sid	2.14-2 fixed
trixie	2.12-9+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

grub2

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-arm64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-i386-pc

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-powerpc-ieee1275

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-s390x-emu

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-snapper-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-systemd-sleep-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-xen

suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/security/cve/CVE-2025-0686

https://bugzilla.redhat.com/show_bug.cgi?id=2346121