CVE-2025-0690Out-of-bounds Write in Grub2

CWE-787Out-of-bounds WriteCWE-116Improper Encoding or Escaping of Output7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 99.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
13
GNU Grub2Debian Grub2Msrc Azl3 Ansible 2.15.3-1 ON Azure Linux 3.0+10 more
Timeline
PublishedFeb 24

Description

The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:HExploitability: 0.2 | Impact: 5.9

Affected Packages13 packages

debiandebian/grub2< grub2 2.12-6 (forky)
Debiangnu/grub2< 2.12-6+1

🔴Vulnerability Details

2
OSV
CVE-2025-0690: The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further us2025-02-24
GHSA
GHSA-9fg2-2f57-9p5h: The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further us2025-02-24

📋Vendor Advisories

4
Red Hat
grub2: read: Integer overflow may lead to out-of-bounds write2025-02-18
Microsoft
Grub2: read: integer overflow may lead to out-of-bounds write2025-02-11
Debian
CVE-2025-0690: grub2 - The read command is used to read the keyboard input from the user, while reads i...2025
Microsoft
Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration2024-02-13