A series of critical vulnerabilities have been discovered in GRUB2, the popular boot loader used by many Linux distributions. These flaws could allow attackers to bypass security measures, potentially compromising millions of systems globally.
Daniel Kiper, a GRUB maintainer, recently published a report detailing the vulnerabilities, which range from heap overflows and out-of-bounds writes to use-after-free errors and integer overflows. These vulnerabilities exist in various parts of the GRUB2 code, including file system drivers, the network boot process, and the command line interface.
Exploitation of these vulnerabilities could have severe consequences, including:
- CVE-2024-45774: A heap out-of-bounds write in GRUB’s JPEG reader that can be triggered by a malformed JPEG file.
- CVE-2024-45776 & CVE-2024-45777: Integer overflows in the GRUB gettext module that could allow attackers to manipulate translations and corrupt critical bootloader data.
- CVE-2024-45778 & CVE-2024-45779: Bugs in the BFS file system parser that could lead to stack overflows and heap memory corruption when handling crafted file systems.
- CVE-2024-45780 & CVE-2024-45781: Vulnerabilities in the TAR and UFS file systems that could cause heap-based out-of-bounds writes.
- CVE-2025-0622: A use-after-free flaw in GRUB’s GPG module due to improper cleanup of hooks, potentially allowing arbitrary code execution.
- CVE-2025-0624: A high-severity buffer overflow in GRUB’s network boot process that could enable remote code execution over the network.
- CVE-2025-0689: A heap-based buffer overflow in the UDF file system module that may result in arbitrary code execution and Secure Boot bypass.
Most of these vulnerabilities require high privileges, meaning an attacker would typically need administrative access to exploit them. However, in compromised environments or scenarios where GRUB is improperly configured, these flaws could be leveraged for privilege escalation or persistent malware deployment.
The most severe vulnerability (CVE-2025-0624) introduces the possibility of remote code execution if exploited during a network boot sequence.
Kiper emphasized that full mitigation requires an updated shim with the latest Secure Boot Advanced Targeting (SBAT) data. Unlike previous GRUB2 security incidents, this round of fixes will not involve an update to the UEFI revocation list (dbx). Instead, Secure Boot vendors and Linux distributions will enforce mitigation through updated shims and package distributions.
Affected vendors, including major Linux distributions, have already started integrating patches into their repositories. System administrators are advised to update GRUB2, shims, and other boot components as soon as updates become available.
Related Posts:
- GRUB2 Bootloader Bugs Affect Billions of Devices
- Bypassing GRUB Security: How CVE-2023-4001 Exploits UEFI Systems
- Xiaomi Limits HyperOS Bootloader Unlocking to One Device Per Account
- CVE-2024-7344: Howyar Reloader Vulnerability Exposes UEFI Systems to Unsigned Software Threats
- Multiple Vulnerabilities in Barebox Bootloader Expose Embedded Systems to Code Execution Risks
