// For flags

CVE-2025-0624

Grub2: net: out-of-bounds write in grub_net_search_config_file()

Severity Score

7.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections.

This update for grub2 fixes the following issues. Fixed strcpy overflow in ufs. Fixed a heap-based buffer overflow in hfs. Fixed strcpy overflow in hfs. Fixed an overflow in tar/cpio. Fixed a refcount overflow in hfsplus. Fixed a heap overflow in JPEG parser. Fixed a missing NULL check in extcmd parser. Fixed an overflow in .MO file handling. Fixed an integer overflow in gettext. Fixed bfs filesystem by removing it from lockdown capable modules. Fixed a heap overflow in bfs. Fixed an issue that can bypass TPM-bound disk encryption on SLM encrypted Images. Fixed an out-of-bounds write during the network boot process. Fixed a use-after-free when handling hooks during module unload in command/gpg. Fixed an integer overflow that may lead to an out-of-bounds write through the read command. Fixed an issue where the dump command was not being blocked when grub was in lockdown mode. Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in ufs. Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in reiserfs. Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in jfs. Fixed an integer overflow that may lead to an out-of-bounds write when handling symlinks in romfs. Fixed a heap-based buffer overflow in udf that may lead to arbitrary code execution. Fixed an integer overflow that may lead to an out-of-bounds write in hfs. Fixed an integer overflow that may lead to an out-of-bounds write in squash4.

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
High
Authentication
Multiple
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
None
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-01-21 CVE Reserved
  • 2025-02-19 CVE Published
  • 2025-05-21 CVE Updated
  • 2025-06-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Red Hat
Search vendor "Red Hat"
Enterprise Linux
Search vendor "Red Hat" for product "Enterprise Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
*-
Affected
Alma
Search vendor "Alma"
Linux
Search vendor "Alma" for product "Linux"
*-
Affected
Amazon
Search vendor "Amazon"
Linux
Search vendor "Amazon" for product "Linux"
*-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
*-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
*-
Affected
Oracle
Search vendor "Oracle"
Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Openshift
Search vendor "Redhat" for product "Openshift"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel Aus
Search vendor "Redhat" for product "Rhel Aus"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel E4s
Search vendor "Redhat" for product "Rhel E4s"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel Els
Search vendor "Redhat" for product "Rhel Els"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel Eus
Search vendor "Redhat" for product "Rhel Eus"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel Tus
Search vendor "Redhat" for product "Rhel Tus"
*-
Affected
Rocky
Search vendor "Rocky"
Linux
Search vendor "Rocky" for product "Linux"
*-
Affected
Suse
Search vendor "Suse"
Sle-module-basesystem
Search vendor "Suse" for product "Sle-module-basesystem"
*-
Affected
Suse
Search vendor "Suse"
Sle-module-server-applications
Search vendor "Suse" for product "Sle-module-server-applications"
*-
Affected
Suse
Search vendor "Suse"
Sle-module-suse-manager-proxy
Search vendor "Suse" for product "Sle-module-suse-manager-proxy"
*-
Affected
Suse
Search vendor "Suse"
Sle-module-suse-manager-server
Search vendor "Suse" for product "Sle-module-suse-manager-server"
*-
Affected
Suse
Search vendor "Suse"
Sle Hpc-espos
Search vendor "Suse" for product "Sle Hpc-espos"
*-
Affected
Suse
Search vendor "Suse"
Sle Hpc-ltss
Search vendor "Suse" for product "Sle Hpc-ltss"
*-
Affected
Suse
Search vendor "Suse"
Sles-ltss-extended-security
Search vendor "Suse" for product "Sles-ltss-extended-security"
*-
Affected
Suse
Search vendor "Suse"
Sles-ltss
Search vendor "Suse" for product "Sles-ltss"
*-
Affected
Suse
Search vendor "Suse"
Sles Sap
Search vendor "Suse" for product "Sles Sap"
*-
Affected
Suse
Search vendor "Suse"
Suse-manager-proxy
Search vendor "Suse" for product "Suse-manager-proxy"
*-
Affected
Suse
Search vendor "Suse"
Suse-manager-server
Search vendor "Suse" for product "Suse-manager-server"
*-
Affected