FKIE_CVE-2025-0677

Vulnerability from fkie_nvd - Published: 2025-02-19 19:15 - Updated: 2025-09-18 09:15
Severity ?
6.4 (Medium) - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in grub2. When performing a symlink lookup, the grub's UFS module checks the inode's data size to allocate the internal buffer to read the file content, however, it fails to check if the symlink data size has overflown. When this occurs, grub_malloc() may be called with a smaller value than needed. When further reading the data from the disk into the buffer, the grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack can leverage this by crafting a malicious filesystem, and as a result, it will corrupt data stored in the heap, allowing for arbitrary code execution used to by-pass secure boot mechanisms.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:16154
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:6990
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2025-0677
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2346116
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in grub2. When performing a symlink lookup, the grub\u0027s UFS module checks the inode\u0027s data size to allocate the internal buffer to read the file content, however, it fails to check if the symlink data size has overflown. When this occurs, grub_malloc() may be called with a smaller value than needed. When further reading the data from the disk into the buffer, the grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack can leverage this by crafting a malicious filesystem, and as a result, it will corrupt data stored in the heap, allowing for arbitrary code execution used to by-pass secure boot mechanisms."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en grub2. Al realizar una b\u00fasqueda de enlace simb\u00f3lico, el m\u00f3dulo UFS de grub verifica el tama\u00f1o de los datos del inodo para asignar el b\u00fafer interno para leer el contenido del archivo, sin embargo, no verifica si el tama\u00f1o de los datos del enlace simb\u00f3lico se ha desbordado. Cuando esto ocurre, se puede llamar a grub_malloc() con un valor menor al necesario. Al leer m\u00e1s datos del disco en el b\u00fafer, la funci\u00f3n grub_ufs_lookup_symlink() escribir\u00e1 m\u00e1s all\u00e1 del final del tama\u00f1o asignado. Un ataque puede aprovechar esto creando un sistema de archivos malicioso y, como resultado, corromper\u00e1 los datos almacenados en el mont\u00f3n, lo que permitir\u00e1 la ejecuci\u00f3n de c\u00f3digo arbitrario utilizado para eludir los mecanismos de arranque seguro."
    }
  ],
  "id": "CVE-2025-0677",
  "lastModified": "2025-09-18T09:15:35.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 6.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 0.5,
        "impactScore": 5.9,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-02-19T19:15:15.280",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:16154"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:6990"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-0677"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346116"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.