CVE-2025-0689

low-risk

Published 2025-03-03

When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections.

Do I need to act?

0.08% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.8/10 High

LOCAL / LOW complexity

Affected Products (1)

Grub2

Affected Vendors

Gnu

References (3)

Third Party Advisory https://access.redhat.com/security/cve/CVE-2025-0689

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=2346122

Mailing List https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal