CVE-2025-1125

High

Published: 03 March 2025

Published

03 March 2025

Modified

08 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1125 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Gnu Grub2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Bootkit (T1542.003); ranked at the 19.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Bootkit (T1542.003) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of flaws like the integer overflow and buffer overflow in GRUB's HFS module via patching.

SI-10 Information Input Validation good match

prevent

Mandates validation of user-controlled HFS filesystem metadata parameters to prevent integer overflows in buffer size calculations.

SI-16 Memory Protection good match

prevent

Implements memory protections to mitigate buffer overflows and subsequent corruption of GRUB's critical data structures.

MITRE ATT&CK Enterprise TechniquesAI

T1542.003 Bootkit Stealth

Adversaries may use bootkits to persist on systems.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

T1553 Subvert Trust Controls Defense Impairment

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.

attack.mitre.org →

Why these techniques?

The integer overflow in GRUB's HFS module enables heap out-of-bounds write, leading to arbitrary code execution during boot and bypassing Secure Boot. This facilitates bootkit deployment (T1067), exploitation for privilege escalation (T1068) and defense evasion (T1211), and subversion of trust controls like Secure Boot (T1553).

NVD Description

When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some…

of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections.

Deeper analysisAI

CVE-2025-1125 affects GRUB's HFS filesystem module, where user-controlled parameters from HFS filesystem metadata are used to calculate internal buffer sizes without proper integer overflow checks. A maliciously crafted HFS filesystem can trigger overflows in these calculations, resulting in a grub_malloc() allocation smaller than expected. This leads to a buffer overflow in the hfsplus_open_compressed_real() function, corrupting GRUB's internal critical data structures.

The vulnerability has a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-787 (Out-of-bounds Write). Exploitation requires local access with low complexity and no privileges, but user interaction is needed, such as tricking a user into loading or booting from a malicious HFS filesystem image via GRUB. Successful exploitation can enable arbitrary code execution, bypassing Secure Boot protections.

Advisories and discussions on mitigation are provided by Red Hat at https://access.redhat.com/security/cve/CVE-2025-1125, Red Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2346138, and the GRUB development mailing list at https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html.

Details

CWE(s): CWE-787

Affected Products

gnu

grub2

≤ 2.12

CVEs Like This One

CVE-2025-0689Same product: Gnu Grub2

CVE-2024-45782Same product: Gnu Grub2

CVE-2025-13151Same vendor: Gnu

CVE-2026-5435Same vendor: Gnu

CVE-2026-5450Same vendor: Gnu

CVE-2025-0840Same vendor: Gnu

CVE-2026-0861Same vendor: Gnu

CVE-2026-28372Same vendor: Gnu

CVE-2025-1179Same vendor: Gnu

CVE-2025-0678Same product: Gnu Grub2

References

https://access.redhat.com/security/cve/CVE-2025-1125
Third Party Advisory · secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2346138
Issue Tracking, Third Party Advisory · secalert@redhat.com
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
Mailing List, Vendor Advisory · secalert@redhat.com