CVE-2025-0622: Grub2: command/gpg: use-after-free due to hooks not being removed on module unload
A flaw was found in command/gpg. In some scenarios, hooks created by loaded modules are not removed when the related module is unloaded. This flaw allows an attacker to force grub2 to call the hooks once the module that registered it was unloaded, leading to a use-after-free vulnerability. If correctly exploited, this vulnerability may result in arbitrary code execution, eventually allowing the attacker to bypass secure boot protections.
Security readout for executives and security teams
Plain-English summary
CVE-2025-0622 affects GRUB2, the bootloader used before Linux starts. A flaw in module hook cleanup can leave stale hooks after a module unloads, creating a use-after-free condition. Successful exploitation could allow code execution before the operating system fully boots and may bypass Secure Boot protections.
Executive priority
Treat as a planned security update, not an emergency, unless affected systems protect high-value workloads through Secure Boot. The main business risk is erosion of boot-chain trust on systems where an attacker already has privileged local access.
Technical view
The issue is in GRUB2 command/gpg hook lifecycle handling. In some cases, module-created hooks are not removed when the module unloads. Later hook invocation can call freed module memory, producing CWE-416 use-after-free. Red Hat rates it CVSS 6.4 with local access, high complexity, and high privileges required.
Likely exposure
Most exposed assets are Red Hat systems using affected grub2 or RHCOS builds: RHEL 9, RHEL 10, and OpenShift Container Platform 4 are listed affected. RHEL 7 and 8 status is unknown in the supplied data.
Exploitation context
The bundle does not show KEV listing or active exploitation. The CVSS vector indicates exploitation requires local access, high privileges, and high attack complexity. Impact is still important because the vulnerability is in boot-chain code and could affect Secure Boot trust assumptions.
Researcher notes
Evidence supports a GRUB2 use-after-free in command/gpg hook cleanup with possible Secure Boot bypass. Public bundle names Red Hat advisories and upstream grub-devel discussion, but does not provide exploit-in-the-wild evidence or complete fixed-version detail for every platform.
Mitigation direction
Apply relevant Red Hat errata for affected RHEL and OpenShift systems.
Check Red Hat CVE guidance for exact fixed package or release details.
Prioritize systems relying on Secure Boot for boot-chain integrity.
Review OpenShift/RHCOS remediation guidance before cluster-wide updates.
Limit local privileged bootloader administration access until remediation is complete.
Validation and detection
Inventory grub2 package versions across RHEL 9 and RHEL 10 systems.
Identify OpenShift Container Platform 4 clusters using affected RHCOS content.
Compare assets against Red Hat affected status and errata applicability.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.