Memory Corruption Vulnerability in GRUB2 by Red Hat
CVE-2020-25647

7.6HIGH

Key Information:

Vendor: Gnu
Status: Grub2
Vendor: CVE Published:; 3 March 2021

What is CVE-2020-25647?

A flaw exists in GRUB2 that arises during USB device initialization due to inadequate bounds checking when reading device descriptors. This oversight assumes that the USB device presents valid values. If an attacker successfully exploits this vulnerability, it may result in memory corruption, enabling arbitrary code execution and a successful bypass of the Secure Boot functionality. The potential impact includes severe threats to data confidentiality, integrity, and overall system availability.

Affected Version(s)

grub2 grub 2.06

References

https://bugzilla.redhat.com/show_bug.cgi?id=1886936

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisoryx_refsource_FEDORA

https://security.gentoo.org/glsa/202104-05

vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 3, 2021
Vulnerability Reserved
Sep 16, 2020

Gnu

What is CVE-2020-25647?

Affected Version(s)

References

CVSS V3.1

Timeline