LiveActive security incident?Get immediate response
CVE Record

CVE-2025-0622: Grub2: command/gpg: use-after-free due to hooks not being removed on module unload

A flaw was found in command/gpg. In some scenarios, hooks created by loaded modules are not removed when the related module is unloaded. This flaw allows an attacker to force grub2 to call the hooks once the module that registered it was unloaded, leading to a use-after-free vulnerability. If correctly exploited, this vulnerability may result in arbitrary code execution, eventually allowing the attacker to bypass secure boot protections.

MediumCVSS 6.4Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-0622 affects GRUB2, the bootloader used before Linux starts. A flaw in module hook cleanup can leave stale hooks after a module unloads, creating a use-after-free condition. Successful exploitation could allow code execution before the operating system fully boots and may bypass Secure Boot protections.

Executive priority

Treat as a planned security update, not an emergency, unless affected systems protect high-value workloads through Secure Boot. The main business risk is erosion of boot-chain trust on systems where an attacker already has privileged local access.

Technical view

The issue is in GRUB2 command/gpg hook lifecycle handling. In some cases, module-created hooks are not removed when the module unloads. Later hook invocation can call freed module memory, producing CWE-416 use-after-free. Red Hat rates it CVSS 6.4 with local access, high complexity, and high privileges required.

Likely exposure

Most exposed assets are Red Hat systems using affected grub2 or RHCOS builds: RHEL 9, RHEL 10, and OpenShift Container Platform 4 are listed affected. RHEL 7 and 8 status is unknown in the supplied data.

Exploitation context

The bundle does not show KEV listing or active exploitation. The CVSS vector indicates exploitation requires local access, high privileges, and high attack complexity. Impact is still important because the vulnerability is in boot-chain code and could affect Secure Boot trust assumptions.

Researcher notes

Evidence supports a GRUB2 use-after-free in command/gpg hook cleanup with possible Secure Boot bypass. Public bundle names Red Hat advisories and upstream grub-devel discussion, but does not provide exploit-in-the-wild evidence or complete fixed-version detail for every platform.

Mitigation direction

  • Apply relevant Red Hat errata for affected RHEL and OpenShift systems.
  • Check Red Hat CVE guidance for exact fixed package or release details.
  • Prioritize systems relying on Secure Boot for boot-chain integrity.
  • Review OpenShift/RHCOS remediation guidance before cluster-wide updates.
  • Limit local privileged bootloader administration access until remediation is complete.

Validation and detection

  • Inventory grub2 package versions across RHEL 9 and RHEL 10 systems.
  • Identify OpenShift Container Platform 4 clusters using affected RHCOS content.
  • Compare assets against Red Hat affected status and errata applicability.
  • Confirm whether RHEL 7 or 8 assets receive updated vendor status.
  • Verify remediation through package or image version evidence after updates.
Prepared
Confidence
high
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-416: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-0622 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.4 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.4CVSS 3.1MediumCVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H0.55.9redhat

Vulnerability scoring details

Base CVSS 3.1 score

6.4Medium
CVSS 3.1 vector shape for CVE-2025-0622Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. Source timelineredhat

    Reported to Red Hat.

  3. Source timelineredhat

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Unknown vendorgrub2grub2, 0unaffected
Red HatRed Hat Enterprise Linux 10grub2, 1:2.12-15.el10_0affected
Red HatRed Hat Enterprise Linux 9grub2, 1:2.06-104.el9_6affected
Red HatRed Hat Enterprise Linux 7grub2unknown
Red HatRed Hat Enterprise Linux 8grub2unknown
Red HatRed Hat OpenShift Container Platform 4rhcosaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-416 · source CWE mapping

Use After Free

Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.