CVE-2025-1118

MEDIUM
2025-02-19 [email protected]
4.4
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 24, 2026 - 23:22 vuln.today
CVE Published
Feb 19, 2025 - 18:15 nvd
MEDIUM 4.4

Tags

Information Disclosure Privilege Escalation

Description

A flaw was found in grub2. Grub's dump command is not blocked when grub is in lockdown mode, which allows the user to read any memory information, and an attacker may leverage this in order to extract signatures, salts, and other sensitive information from the memory.

Analysis

GRUB2 bootloader fails to enforce lockdown mode restrictions on the dump command, allowing local privileged users to read arbitrary memory contents and extract sensitive cryptographic material including signatures, salts, and other secrets. Grub2 is affected across multiple Linux distributions including Red Hat Enterprise Linux and SUSE Linux Enterprise. The vulnerability carries a CVSS score of 4.4 with a low EPSS exploitation probability of 0.05% (14th percentile), indicating limited real-world attack likelihood despite the information disclosure impact. No public exploit code or active exploitation has been identified at time of analysis.

Technical Context

GRUB2 is the bootloader used by most Linux distributions to load the kernel during system startup. The vulnerability stems from improper access control enforcement (CWE-501: Trust Boundary Violation) where the dump command, which is designed for debugging and memory inspection, remains accessible when GRUB enters lockdown mode-a security hardening feature that restricts dangerous operations. Lockdown mode is typically activated on systems with Secure Boot or other integrity protections to prevent unauthorized firmware or bootloader modifications. The root cause involves the dump command not being included in the list of operations that should be blocked during lockdown, creating a gap in the security boundary that separates privileged bootloader operations from restricted ones. An attacker with high-level privileges (PR:H in CVSS vector) can leverage this gap to directly read kernel memory at boot time before standard operating system protections are in place.

Affected Products

GRUB2 is affected across multiple distributions with confirmations from both Red Hat and SUSE. Red Hat Enterprise Linux systems are covered under advisory RHSA-2025:16154 and CVE tracking at https://access.redhat.com/security/cve/CVE-2025-1118. SUSE Linux Enterprise is affected across multiple product lines with patches available in advisories SUSE-SU-2025:01961, SUSE-SU-2025:0586, SUSE-SU-2025:0587, SUSE-SU-2025:0588, SUSE-SU-2025:0607, SUSE-SU-2025:0629, SUSE-SU-2025:20511, SUSE-SU-2025:20863, and SUSE-SU-2025:14822. The upstream GRUB project confirmed the issue via commit 34824806ac6302f91e8cabaa41308eaced25725f (https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f) with discussion at https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html. Specific version ranges and CPE strings are referenced in the Red Hat bugzilla report at https://bugzilla.redhat.com/show_bug.cgi?id=2346137.

Remediation

Apply vendor-supplied patches immediately for production systems where Secure Boot or bootloader integrity is enforced. For Red Hat Enterprise Linux systems, apply updates referenced in RHSA-2025:16154 (https://access.redhat.com/errata/RHSA-2025:16154). For SUSE Linux Enterprise, apply the appropriate updates from the SUSE security advisories matching your product line (SUSE-SU-2025:01961 for SLE 15 SP5, SUSE-SU-2025:0586 for SLE 12 SP5, and corresponding advisories for other SLE versions). The upstream GRUB fix is available in the referenced commit and should be included in distribution kernel and bootloader updates. For systems where immediate patching is not feasible, restrict physical or virtual console access to trusted administrators only, ensure Secure Boot remains enabled to prevent bootloader downgrade attacks, and audit system access logs for unauthorized bootloader access attempts. Verify patch application by confirming GRUB2 version updates in your distribution and testing that lockdown mode restrictions are properly enforced (consult distribution documentation for lockdown mode verification procedures).

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Vendor Status

Share

CVE-2025-1118 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy