Vulnerability Description
When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnu | Grub2 | <= 2.12 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2025-0689Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2346122Issue TrackingThird Party Advisory
- https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.htmlMailing ListVendor Advisory
FAQ
What is CVE-2025-0689?
CVE-2025-0689 is a vulnerability with a CVSS score of 7.8 (HIGH). When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sec...
How severe is CVE-2025-0689?
CVE-2025-0689 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-0689?
Check the references section above for vendor advisories and patch information. Affected products include: Gnu Grub2.