CVE-2025-1125

EUVD-2025-5597

03.03.2025, 15:15

When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 27%

Affected Products (NVD)

Vendor	Product	Version
gnu	grub2	𝑥 ≤ 2.12

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

grub2

bookworm	2.06-13+deb12u2 fixed
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	2.14-2 fixed
sid	2.14-2 fixed
trixie	2.12-9+deb13u2 fixed

openSUSE / SLES Releases

openSUSE Product

Release

grub2

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-arm64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-i386-pc

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-powerpc-ieee1275

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-s390x-emu

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-snapper-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-systemd-sleep-plugin

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-efi

suse enterprise desktop 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise desktop 15 SP7	2.12-150700.17.4 fixed
suse enterprise sap 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise sap 15 SP7	2.12-150700.17.4 fixed
suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed
suse enterprise server 15 SP6	2.12-150600.8.18.2 fixed
suse enterprise server 15 SP7	2.12-150700.17.4 fixed

grub2-x86_64-xen

suse enterprise server 12 SP3	2.02-150.1 fixed
suse enterprise server 12 SP5	2.02-181.2 fixed
suse enterprise server 15 SP3	2.04-150300.22.52.3 fixed
suse enterprise server 15 SP4	2.06-150400.11.55.2 fixed
suse enterprise server 15 SP5	2.06-150500.29.43.2 fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/security/cve/CVE-2025-1125

https://bugzilla.redhat.com/show_bug.cgi?id=2346138

https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html