CVE-2025-0684: GNU Grub2 RCE Vulnerability

CVE-2025-0684 Overview

CVE-2025-0684 is an integer overflow vulnerability in GNU GRUB2's ReiserFS filesystem module. The flaw resides in grub_reiserfs_read_symlink(), which uses attacker-controlled filesystem geometry parameters to size an internal buffer. Improper overflow checks cause grub_malloc() to allocate a buffer smaller than expected. The subsequent call to grub_reiserfs_read_real() writes attacker data past the allocation boundary, producing a heap-based out-of-bounds write [CWE-787]. An attacker who controls a ReiserFS image can corrupt GRUB's internal data structures, achieve arbitrary code execution in the bootloader, and bypass UEFI Secure Boot.

Critical Impact

Successful exploitation enables pre-boot arbitrary code execution and circumvention of Secure Boot integrity guarantees on affected systems.

Affected Products

• GNU GRUB2 (all versions prior to the upstream fix)
• Linux distributions shipping the ReiserFS GRUB2 module, including Red Hat Enterprise Linux
• Systems with UEFI Secure Boot relying on GRUB2 as the shim-trusted bootloader

Discovery Timeline

• 2025-03-03 - CVE-2025-0684 published to the National Vulnerability Database
• 2025-07-28 - Last updated in the NVD database

Technical Details for CVE-2025-0684

Vulnerability Analysis

GRUB2 includes a ReiserFS filesystem driver that parses on-disk structures to resolve files and symbolic links during boot. When GRUB2 follows a symlink on a ReiserFS volume, it computes the buffer size needed to hold the link target. The size calculation combines several user-controlled values drawn from the filesystem geometry, including block size and item length fields stored in the image itself.

The arithmetic that produces the allocation size lacks proper overflow validation. A crafted ReiserFS image can supply values whose product wraps around the integer type, yielding a small allocation size. GRUB then calls grub_malloc() with the truncated value and passes the original, untruncated length to grub_reiserfs_read_real() when reading symlink data. The read routine writes the full expected number of bytes into the undersized heap chunk, corrupting adjacent allocator metadata and heap objects.

Because GRUB2 runs in the pre-boot environment with full platform privileges, heap corruption translates directly into control over the bootloader. An attacker who pivots execution can patch Secure Boot verification logic, load unsigned kernels, and persist below the operating system.

Root Cause

The root cause is a missing integer overflow check on user-influenced size arithmetic in the ReiserFS module. The function trusts on-disk geometry fields when sizing the symlink buffer, violating safe-integer practices for parsers operating on untrusted data.

Attack Vector

Exploitation requires the attacker to present a malicious ReiserFS filesystem to GRUB2 at boot time. Realistic delivery paths include attached USB media, attacker-controlled removable drives, dual-boot configurations, or scenarios where an attacker has temporary local access with high privileges to write a crafted image. The CVSS vector reflects local attack surface, high attack complexity, and high privileges required, but successful exploitation yields full confidentiality, integrity, and availability impact through Secure Boot bypass.

No public proof-of-concept code is available. Technical details are described in the Red Hat CVE-2025-0684 Advisory and Red Hat Bugzilla #2346119.

Detection Methods for CVE-2025-0684

Indicators of Compromise

• Unexpected ReiserFS filesystem images present on boot media, removable drives, or partitions not associated with legitimate system use.
• Unsigned or unexpected kernels and initramfs images loaded by GRUB2 after a reboot involving external media.
• Modifications to /boot, EFI System Partition contents, or GRUB2 configuration files that do not correspond to authorized package updates.
• Secure Boot measurement anomalies recorded in TPM PCR values compared against known-good baselines.

Detection Strategies

• Inventory installed GRUB2 packages across the fleet and compare versions against vendor security advisories for CVE-2025-0684.
• Enable and audit UEFI Secure Boot logs and TPM event logs for unexpected bootloader or kernel measurements.
• Use file integrity monitoring on /boot and the EFI System Partition to detect unauthorized changes to bootloader components.
• Detect the presence of the reiserfs.mod GRUB2 module on systems that do not legitimately use ReiserFS.

Monitoring Recommendations

• Forward boot integrity events, package manager updates, and removable media mount events to a centralized log platform for correlation.
• Alert on attachment of unknown block devices containing ReiserFS signatures, particularly on servers and workstations handling sensitive data.
• Track distribution security feeds for GRUB2 and shim updates and verify deployment within defined patch windows.

How to Mitigate CVE-2025-0684

Immediate Actions Required

• Apply vendor-supplied GRUB2 updates as soon as they are available from your Linux distribution. Refer to the Red Hat CVE-2025-0684 Advisory for Red Hat-specific package versions.
• Update the Secure Boot DBX revocation list (fwupdmgr update or distribution-equivalent tooling) once revocation entries for vulnerable GRUB2 builds are published.
• Restrict physical and console access to systems where Secure Boot is part of the threat model.
• Disable booting from removable media in firmware settings on systems that do not require it.

Patch Information

The vulnerability is addressed in upstream GRUB2 by adding overflow-safe size arithmetic in the ReiserFS symlink read path. Linux distributions are publishing rebuilt GRUB2 and shim packages; track the Red Hat Bugzilla #2346119 entry and equivalent advisories from other distributions for fix availability and shipped versions.

Workarounds

• Remove or blacklist the GRUB2 ReiserFS module (reiserfs.mod) on systems that do not require ReiserFS support, reducing the parser attack surface.
• Enforce firmware-level boot order restrictions and disable USB boot to limit exposure to malicious external filesystems.
• Set a GRUB2 password to prevent unauthorized modification of boot entries and module loading at the boot menu.
• Where supported, enable measured boot with remote attestation so that compromised bootloaders fail attestation before sensitive workloads start.

# Example: prevent loading of the ReiserFS GRUB2 module
# Remove the module file from the GRUB2 install directory
sudo rm -f /boot/grub2/i386-pc/reiserfs.mod
sudo rm -f /boot/efi/EFI/*/x86_64-efi/reiserfs.mod

# Rebuild the GRUB2 configuration after applying vendor patches
sudo grub2-mkconfig -o /boot/grub2/grub.cfg

# Verify installed GRUB2 package version against the vendor advisory
rpm -q grub2-common grub2-efi-x64 grub2-pc