Cyber Resilience

CVE-2025-0689

High

Published: 03 March 2025

Published
03 March 2025
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0689 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Gnu Grub2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0689 is a heap-based buffer overflow vulnerability (CWE-120) in the GRUB bootloader's UDF filesystem module. The flaw occurs when reading data from disk, as the module uses user-controlled data length metadata from the filesystem to allocate internal buffers. While iterating through disk sectors, GRUB assumes the actual read size from disk is always smaller than the allocated buffer size, which is not guaranteed. A crafted UDF filesystem image can trigger the overflow, corrupting critical data.

The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high impact. A local attacker with no privileges can exploit it by tricking a user into loading or booting from a malicious UDF filesystem image, such as via removable media. Successful exploitation may lead to arbitrary code execution, potentially bypassing secure boot protections.

Mitigation details are available in vendor advisories, including Red Hat's security page at https://access.redhat.com/security/cve/CVE-2025-0689, the associated Bugzilla ticket at https://bugzilla.redhat.com/show_bug.cgi?id=2346122, and the GRUB development mailing list discussion at https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html. Security practitioners should review these resources for patches, updated GRUB packages, and deployment guidance.

EU & UK References

Vulnerability details

When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always…

more

smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1211 Exploitation for Stealth Stealth
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
T1542.003 Bootkit Stealth
Adversaries may use bootkits to persist on systems.
Why these techniques?

Heap-based buffer overflow in GRUB's UDF filesystem module from crafted disk image enables arbitrary code execution during pre-OS boot, bypassing secure boot protections. This facilitates exploitation for privilege escalation (T1068), defense evasion (T1211), and bootkit deployment (T1542.003).

CVEs Like This One

CVE-2025-1125Same product: Gnu Grub2
CVE-2026-32746Same vendor: Gnu
CVE-2026-28372Same vendor: Gnu
CVE-2026-0861Same vendor: Gnu
CVE-2025-1179Same vendor: Gnu
CVE-2025-0678Same product: Gnu Grub2
CVE-2024-45782Same product: Gnu Grub2
CVE-2026-5928Same vendor: Gnu
CVE-2025-13151Same vendor: Gnu
CVE-2026-4046Same vendor: Gnu

Affected Assets

gnu
grub2
≤ 2.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely remediation of the heap buffer overflow flaw in GRUB's UDF module through patching.

prevent

Implements memory protections like ASLR and DEP that prevent exploitation of the heap-based buffer overflow even if the flaw remains unpatched.

prevent

Requires validation of user-controlled data lengths from filesystem metadata to prevent buffer overflows during disk sector reads in GRUB.

References