A critical set of 20 security vulnerabilities in GRUB2, the widely used bootloader for Linux systems, has been revealed, exposing millions of devices to potential secure boot bypass and remote code execution attacks.
Discovered during a proactive hardening initiative, these flaws—assigned CVSS scores as high as 7.5—affect core components handling filesystem parsing, memory management, and network configurations.
Patches released on February 18, 2025, aim to address risks ranging from heap overflows during JPEG processing to memory corruption in UEFI Secure Boot environments.
.png
)
Systemic Vulnerabilities in Bootloader Architecture
The GRUB2 bootloader’s role in initializing operating systems makes it a high-value target for attackers seeking to compromise device integrity before OS protections activate.
Researchers identified multiple attack vectors across filesystem drivers, including integer overflow-to-heap corruption chains in UFS, HFS+, and ReiserFS implementations.
For instance, CVE-2025-0677 allows crafted symlinks in UFS partitions to trigger buffer overflows during inode processing, while CVE-2024-45782 exploits unvalidated volume name lengths in HFS mounts to overwrite heap metadata.
Network boot configurations face critical risks through CVE-2025-0624, where malicious DHCP servers could inject oversized configuration paths into GRUB2’s network stack, enabling arbitrary code execution within the pre-boot environment.
“This vulnerability effectively bridges network-based attackers into the secure enclave of the boot process,” noted Red Hat security engineer Marco A Benatto in the patch notes.
Filesystem Parsing
Seven vulnerabilities stem from insufficient bounds checking in filesystem drivers.
The Squash4 (CVE-2025-0678) and JFS (CVE-2025-0685) modules exhibit similar flaws where attacker-controlled size values cause undersized buffer allocations, leading to out-of-bounds writes during file reads.
Similarly, the ROMFS driver (CVE-2025-0686) allows integer overflow during symlink resolution, corrupting adjacent heap structures.
Oracle’s Jan Setje-Eilers emphasized that “these vulnerabilities bypass traditional file integrity checks by exploiting legitimate filesystem operations”.
Even GRUB2’s handling of common formats like JPEG images poses risks.
CVE-2024-45774 enables specially crafted JPEG files—potentially embedded in boot themes or EFI system partitions—to overwrite critical memory regions through duplicate SOF0 markers.
This could enable persistence across reboots or modification of verified boot measurements.
The most severe vulnerabilities, including CVE-2025-0622’s use-after-free in GPG module unloading, directly threaten UEFI Secure Boot’s integrity.
By hijacking hook functions after module ejection, attackers could execute rogue payloads with bootloader privileges.
Meanwhile, CVE-2025-1118’s unsecured memory dump capability risks exposing cryptographic secrets when Secure Boot is active.
Mitigation requires coordinated updates to GRUB2, shim, and SBAT metadata, as traditional UEFI revocation lists (dbx) won’t be used.
“Vendors must rebuild boot artifacts with SBAT generation 5 or higher to enforce component-level revocation,” explained Daniel Kiper, GRUB2 maintainer.
Major distros including Red Hat, SUSE, and Oracle Linux began rolling out patched packages starting February 25, 2025.
Despite patches, residual risks persist for legacy systems and embedded devices with infrequent update cycles.
Jonathan Bar Or, who reported six vulnerabilities, warned: “GRUB2’s deep integration with hardware trust chains means a single unpatched system could undermine network-wide secure boot assurances.”
The discovery team, including Nils Langius and B Horn, credited improved fuzz testing frameworks for uncovering these flaws but cautioned that “manual code review remains essential given GRUB2’s complexity”.
As attackers increasingly target low-level components, this coordinated disclosure highlights the critical role of cross-industry collaboration in firmware security.
System administrators are urged to prioritize bootloader updates and verify SBAT status using tools like mokutil, while developers must adopt modern memory-safe paradigms in legacy codebases.
The GRUB2 vulnerabilities serve as a stark reminder that in secure computing, the chain is only as strong as its first link.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
