Integer Overflow Vulnerability in GRUB2 Affects Red Hat Products
CVE-2025-0678

7.8HIGH

Key Information:

Vendor: Gnu
Status: Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 3 March 2025

Summary

A flaw in GRUB2's squash4 filesystem module allows user-controlled parameters to affect buffer size calculations, risking integer overflows. An attacker can exploit this vulnerability by crafting a malicious filesystem, potentially leading to an out-of-bounds write during data reading. This exploitation could corrupt critical internal data and enable arbitrary code execution, thus bypassing secure boot protections.

References

https://access.redhat.com/security/cve/CVE-2025-0678

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2346118

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2025
Vulnerability Reserved
Jan 23, 2025