CVE-2025-4382Missing Authentication for Critical Function in Grub2

CWE-306Missing Authentication for Critical Function5 documents5 sources
Severity
5.9MEDIUMNVD
EPSS
0.1%
top 77.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GNU Grub2Debian Grub2
Timeline
PublishedMay 9

Description

A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This sce

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 0.7 | Impact: 5.2

Affected Packages2 packages

debiandebian/grub2< grub2 2.14~git20250718.0e36779-2 (forky)
Debiangnu/grub2< 2.14~git20250718.0e36779-2

🔴Vulnerability Details

2
OSV
CVE-2025-4382: A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption2025-05-09
GHSA
GHSA-4h4m-5x9g-8whv: A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption2025-05-09

📋Vendor Advisories

2
Red Hat
grub2: grub allow access to encrypted device through CLI once root device is unlocked via TPM2025-05-08
Debian
CVE-2025-4382: grub2 - A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured ...2025