CVE-2025-0689
Last modified
CVE-2025-0689 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. EPSS estimates a 0.44% chance of exploitation in the next 30 days.
Description
When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections.
Metrics
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Grub2 | <= 2.12 |
References
- https://access.redhat.com/security/cve/CVE-2025-0689Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2346122Issue Tracking, Third Party Advisory
- https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.htmlMailing List, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2025-0689?
How severe is CVE-2025-0689?
How do I fix CVE-2025-0689?
Are you affected by CVE-2025-0689?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST