CVE-2025-0678
Published: 03 March 2025
Summary
CVE-2025-0678 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked at the 7.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation patches the integer overflow vulnerability in GRUB2's squash4 module, directly preventing heap-based out-of-bounds writes from maliciously crafted filesystems.
Validates filesystem geometry parameters as information inputs to GRUB2, ensuring proper checks for integer overflows and blocking exploitation via malformed squash4 data.
Verifies integrity of GRUB2 firmware before execution, preventing use of tampered or vulnerable bootloader versions that could be exploited during the boot process.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables arbitrary code execution in the GRUB2 bootloader via a crafted squash4 filesystem image, directly facilitating bootkit-style pre-OS boot process compromise and Secure Boot bypass.
NVD Description
A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted…
more
filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.
Deeper analysisAI
CVE-2025-0678 is an integer overflow vulnerability (CWE-190) in the GRUB2 bootloader's squash4 filesystem module. When GRUB2 reads data from a squash4 filesystem, it uses user-controlled parameters from the filesystem geometry to calculate internal buffer sizes but fails to properly check for integer overflows. A maliciously crafted squash4 filesystem can cause these buffer size calculations to overflow, resulting in a grub_malloc() allocation with a smaller size than intended. This leads to a heap-based out-of-bounds write during the subsequent direct_read() operation.
The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). A local attacker with low privileges can exploit it by providing a specially crafted squash4 filesystem image accessible during GRUB2's boot process. Exploitation corrupts GRUB2's internal critical data structures, potentially enabling arbitrary code execution and bypassing Secure Boot protections.
Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-0678 and the related Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2346118.
Details
- CWE(s)