CVE-2023-4692 Overview
CVE-2023-4692 is an out-of-bounds write vulnerability in the New Technology File System (NTFS) driver of GNU GRUB2, the bootloader used by most Linux distributions. An attacker who can present a specially crafted NTFS filesystem image to GRUB2 can corrupt the bootloader's heap metadata. Under specific conditions, the corruption extends to the Unified Extensible Firmware Interface (UEFI) firmware heap. This allows arbitrary code execution at the firmware level and bypass of Secure Boot protections. The flaw is tracked under [CWE-122] (heap-based buffer overflow) and [CWE-787] (out-of-bounds write). Red Hat Enterprise Linux 8 and 9, along with upstream GNU GRUB2, are affected.
Critical Impact
Successful exploitation enables arbitrary code execution in the pre-boot environment and bypass of UEFI Secure Boot, undermining the root of trust for the entire operating system.
Affected Products
- GNU GRUB2 (upstream, all versions prior to patched release)
- Red Hat Enterprise Linux 8.0
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2023-10-25 - CVE-2023-4692 published to the National Vulnerability Database (NVD)
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2023-4692
Vulnerability Analysis
The defect resides in GRUB2's NTFS filesystem driver, which parses filesystem metadata during boot. When the driver processes a malformed NTFS image, it writes data beyond an allocated heap buffer. This corrupts GRUB2's internal heap structures and, depending on memory layout, can spill into the UEFI firmware's heap.
Because GRUB2 executes before the operating system kernel and before Secure Boot hands control to the kernel, code injected through this path runs with firmware-level privileges. An attacker can therefore install a bootkit that survives operating system reinstallation. Exploitation requires local access and low privileges, since the attacker must either modify a mounted disk or attach a removable device containing the crafted NTFS image.
Root Cause
The root cause is insufficient bounds validation in the NTFS driver when parsing attributes within Master File Table (MFT) entries. The driver trusts length fields supplied by the filesystem image and writes parsed data into a fixed-size heap allocation. A crafted image with oversized or malformed attributes produces a heap-based out-of-bounds write.
Attack Vector
A local attacker stages a malicious NTFS image on storage that GRUB2 will read during boot. This includes USB flash drives, secondary partitions, or virtual disks attached to a workstation or server. When GRUB2 mounts the NTFS volume to load configuration files, kernels, or initramfs images, the vulnerable parser is invoked and heap corruption occurs.
// No verified exploit code is publicly available.
// The vulnerability is triggered by parsing a crafted NTFS
// filesystem image. See the Red Hat advisory for technical
// details: https://access.redhat.com/security/cve/CVE-2023-4692
Detection Methods for CVE-2023-4692
Indicators of Compromise
- Unexpected NTFS partitions or images present on Linux systems that do not legitimately use NTFS volumes.
- Modifications to the EFI System Partition (ESP), including unsigned or unknown .efi binaries.
- GRUB2 boot failures, panics, or unexplained reboots during the early boot phase.
- Changes to UEFI firmware variables or Secure Boot configuration without corresponding administrative action.
Detection Strategies
- Audit installed grub2 package versions against vendor advisories such as RHSA-2024:2456 and RHSA-2024:3184.
- Validate measured boot logs and Trusted Platform Module (TPM) PCR values to detect deviations in the boot chain.
- Use file integrity monitoring on /boot and the EFI System Partition to identify unauthorized changes.
- Inspect attached storage for unauthorized NTFS images that could be staged for exploitation.
Monitoring Recommendations
- Forward boot-time logs, dmesg output, and UEFI firmware events to a centralized logging platform for correlation.
- Track grub2-install, grub2-mkconfig, and efibootmgr executions on production hosts.
- Monitor for new or modified files under /boot/efi/EFI/ across the fleet.
How to Mitigate CVE-2023-4692
Immediate Actions Required
- Apply vendor-supplied GRUB2 updates from Red Hat, Debian, Fedora, Gentoo, and NetApp advisories listed in the references.
- After patching, update the Secure Boot DBX revocation list (fwupdmgr or vendor tooling) so vulnerable shim and GRUB2 binaries cannot be re-loaded.
- Restrict physical and virtual access to systems, as exploitation requires local presentation of a crafted NTFS image.
- Disable booting from removable media in firmware where operationally feasible.
Patch Information
Red Hat addressed CVE-2023-4692 in advisories RHSA-2024:2456 and RHSA-2024:3184. Upstream fixes were published on the GNU GRUB development mailing list. Debian published a fix via the Debian LTS Security Announcement, Gentoo via GLSA 202311-14, and NetApp via NTAP-20231208-0002. Refer to the Red Hat CVE Report for component mapping.
Workarounds
- Set a GRUB2 password to restrict editing of boot entries and limit attacker control over boot parameters.
- Remove the NTFS module from GRUB2 builds where NTFS support is not required, eliminating the vulnerable parser.
- Enforce full-disk encryption (LUKS) so attackers cannot tamper with the /boot partition offline.
- Enable TPM-based measured boot and remote attestation to detect boot chain tampering.
# Update GRUB2 on Red Hat Enterprise Linux
sudo dnf update grub2 grub2-common grub2-tools shim
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
# Update Secure Boot revocation database
sudo fwupdmgr refresh
sudo fwupdmgr update
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
