CVE-2025-0677

MEDIUM
2025-02-19 [email protected]
RCE
6.4
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 23:22 vuln.today
CVE Published
Feb 19, 2025 - 19:15 nvd
MEDIUM 6.4

DescriptionNVD

A flaw was found in grub2. When performing a symlink lookup, the grub's UFS module checks the inode's data size to allocate the internal buffer to read the file content, however, it fails to check if the symlink data size has overflown. When this occurs, grub_malloc() may be called with a smaller value than needed. When further reading the data from the disk into the buffer, the grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack can leverage this by crafting a malicious filesystem, and as a result, it will corrupt data stored in the heap, allowing for arbitrary code execution used to by-pass secure boot mechanisms.

AnalysisAI

Grub2's UFS module fails to validate symlink data size during inode processing, allowing an integer overflow that causes undersized heap buffer allocation. When symlink content is subsequently read into this undersized buffer, a heap overflow corrupts adjacent memory and enables arbitrary code execution to bypass secure boot. GRUB2 versions affected across Red Hat and SUSE distributions are vulnerable when processing maliciously crafted UFS filesystems; EPSS score of 0.07% (percentile 22%) suggests low real-world exploitation likelihood despite the severe technical impact.

Technical ContextAI

GRUB2 is the GNU bootloader used across Red Hat, SUSE, and Debian-based distributions to load kernels during system boot. The UFS (Unix File System) module within GRUB2 implements filesystem parsing to locate and load kernel images. The vulnerability exists in the grub_ufs_lookup_symlink() function, which processes symbolic links stored in UFS inodes. The root cause is classified as CWE-787 (out-of-bounds write) stemming from an integer overflow: the code reads the inode's data size field to determine buffer allocation via grub_malloc() but does not validate whether the size value has overflowed. When an attacker crafts a UFS filesystem with an overflowed size field, grub_malloc() allocates insufficient heap memory. The subsequent file read operation writes beyond the allocated buffer boundary, corrupting heap metadata and adjacent allocations. This memory corruption occurs in the bootloader context before the operating system kernel executes, allowing attackers to inject and execute malicious code within GRUB's execution environment, thereby defeating secure boot mechanisms that validate only the kernel image.

Affected ProductsAI

GRUB2 is affected across multiple distributions. Red Hat Security Advisory RHSA-2025:16154 and RHSA-2025:6990 document affected Red Hat products; SUSE Security Updates SU-2025:01961, SU-2025:0586, SU-2025:0587, SU-2025:0588, SU-2025:0607, SU-2025:0629, SU-2025:20511, SU-2025:20863, and SU-2025:14822 confirm multiple SUSE Linux Enterprise versions are vulnerable. The GRUB2 project itself (referenced via grub-devel mailing list in February 2025) is the upstream source of the vulnerability. Specific version ranges and CPE identifiers (cpe:2.3:a:gnu:grub2) are available via the vendor advisories at https://access.redhat.com/errata/RHSA-2025:16154, https://access.redhat.com/errata/RHSA-2025:6990, and https://www.suse.com/support/update/ for each enumerated SUSE-SU advisory. Red Hat Bug 2346116 provides additional technical tracking.

RemediationAI

Apply vendor-released security updates from Red Hat (RHSA-2025:16154 or RHSA-2025:6990 depending on product line) or SUSE (appropriate SU-2025 advisory matching your SUSE Linux Enterprise version and architecture). Instructions are available at https://access.redhat.com/errata/RHSA-2025:16154, https://access.redhat.com/security/cve/CVE-2025-0677, and corresponding SUSE security update URLs. Until patching is completed, restrict bootloader access by ensuring physical security of systems, disabling external/USB boot options in BIOS/UEFI firmware, and validating filesystem integrity of boot partitions. Organizations relying on secure boot for enforcement should verify that firmware-level secure boot remains enabled and that boot order is restricted to internal trusted storage. No workarounds exist that fully mitigate the vulnerability without patching GRUB2 itself.

Vendor StatusVendor

Share

CVE-2025-0677 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy