Home > Vulnerability Database > CVE-2025-0677

Mend.io Vulnerability Database

CVE-2025-0677

Date: February 19, 2025

A flaw was found in grub2. When performing a symlink lookup the grub's UFS module check the inode's data size to allocate the internal buffer for reading the file content however it misses to check if the symlink data size has overflown. If that happens grub_malloc() may be called with a smaller value than needed, as consequence when further reading the data from disk into the buffer grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack may leverage that by crafting a malicious filesystem and as a result it will corrupt data stored in the heap, it's possible that arbitrary code execution may be achieved through it and to be used to by-pass secure boot mechanisms.

Severity Score

6.4

Related Resources (7)

Url: https://seclists.org/oss-sec/2025/q1/146

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-0677

Url: https://access.redhat.com/errata/RHSA-2025:6990

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2346116

Url: https://access.redhat.com/security/cve/CVE-2025-0677

Url: https://access.redhat.com/errata/RHSA-2025:16154

Url: https://www.mend.io/vulnerability-database/CVE-2025-0677

Severity Score

6.4

Weakness Type (CWE)

Out-of-bounds Write

CWE-787

CVSS v3.1

Base Score:	6.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-0677

Date: February 19, 2025

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?