CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
A flaw was found in command/gpg. In some scenarios, hooks created by loaded modules are not removed when the related module is unloaded. This flaw allows an attacker to force grub2 to call the hooks once the module that registered it was unloaded, leading to a use-after-free vulnerability. If correctly exploited, this vulnerability may result in arbitrary code execution, eventually allowing the attacker to bypass secure boot protections.
AnalysisAI
GRUB2 bootloader fails to properly unload module-registered hooks during module unloading, creating a use-after-free condition that allows privileged local attackers to execute arbitrary code and potentially bypass secure boot protections. The vulnerability affects GRUB2 across multiple distributions including Red Hat Enterprise Linux and SUSE Linux Enterprise, with patch availability confirmed through multiple security advisories issued in early 2025. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in the GRUB2 command/gpg module implementation, which manages cryptographic operations during boot. GRUB2's modular architecture allows runtime loading and unloading of functional modules; each module can register callback hooks with the bootloader's hook system. The flaw stems from incomplete cleanup logic in the module unload pathway-when a module is removed from memory, its registered hooks remain in the hook registry pointing to now-freed memory locations. CWE-416 (Use After Free) categorizes this as a memory safety violation where freed memory is subsequently dereferenced. The attack surface is confined to the boot environment where an attacker with high privilege (root or firmware access) can trigger module unloading followed by hook invocation, resulting in execution of arbitrary code at the bootloader privilege level. This is particularly critical because GRUB2 executes before operating system kernel initialization and before secure boot verification completion.
Affected ProductsAI
Red Hat Enterprise Linux is affected across multiple versions with patches released via RHSA-2025:16154 and RHSA-2025:6990. SUSE Linux Enterprise is affected across multiple product lines with patches released via SUSE-SU-2025:01961, SUSE-SU-2025:0586, SUSE-SU-2025:0587, SUSE-SU-2025:0588, SUSE-SU-2025:0607, SUSE-SU-2025:0629, SUSE-SU-2025:20511, SUSE-SU-2025:20863, and SUSE-SU-2025:14822. The underlying affected software is GNU GRUB2 with module management functionality; specific version ranges are documented in the referenced vendor security advisories. CPE string cpe:2.3:a:gnu:grub2 matches the core affected software. Fedora and other distributions shipping GRUB2 may also be affected pending their advisory releases.
RemediationAI
Apply vendor-released security patches immediately through official distribution channels: for Red Hat Enterprise Linux, install updates referenced in RHSA-2025:16154 and RHSA-2025:6990; for SUSE Linux Enterprise, apply updates from the corresponding SUSE-SU advisories listed in the vulnerability references. The patches resolve the module hook cleanup logic to properly deregister hooks during module unloading. If immediate patching is not feasible, restrict physical or remote firmware access to GRUB2 configuration and module loading mechanisms to trusted administrators only, and disable non-essential GRUB2 modules that are not required for boot. Monitor boot logs and secure boot status indicators for any anomalies suggesting exploitation attempts. Organizations managing large fleets should prioritize patching production systems in security-sensitive environments (financial services, critical infrastructure, high-assurance computing) first, as these face elevated supply chain compromise risks.
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today