CVE-2025-0678: Grub2: squash4: integer overflow may lead to heap based out-of-bounds write when reading data
A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.
Security readout for executives and security teams
Plain-English summary
CVE-2025-0678 is a GRUB2 bootloader flaw involving malformed squash4 filesystem data. A local attacker who can influence bootloader-readable filesystem content may corrupt GRUB memory, potentially achieving code execution before the operating system starts and bypassing Secure Boot protections.
Executive priority
Prioritize as high where GRUB2 exposure is confirmed because compromise may occur before the OS security stack loads. Red Hat-listed products appear unaffected in the provided data, so validate vendor status before emergency remediation.
Technical view
GRUB2's squash4 module uses filesystem geometry values to size internal buffers but insufficiently checks integer overflow. Overflowed size calculations can make grub_malloc allocate too little memory, after which direct_read can perform a heap out-of-bounds write.
Likely exposure
Exposure depends on whether a system's GRUB2 build includes the vulnerable squash4 handling and can be made to read attacker-crafted filesystem data. The bundle lists Red Hat Enterprise Linux 7, 8, 9, 10 and OpenShift Container Platform 4 as unaffected; other vendor status is not established here.
Exploitation context
The CVSS vector is local, low complexity, low privileges, and no user interaction. The source bundle does not show CISA KEV listing or cited evidence of active exploitation, so active exploitation should not be assumed.
Researcher notes
Key weakness is CWE-190 integer overflow leading to undersized allocation and heap out-of-bounds write in squash4 read handling. The bundle supports potential arbitrary code execution and Secure Boot bypass, but does not provide patch details or exploitation-in-the-wild evidence.
Mitigation direction
Check vendor advisories for GRUB2 packages that address CVE-2025-0678.
Apply vendor-supported bootloader updates when available and tested.
Restrict who can modify boot partitions, boot entries, VM images, and removable boot media.
Maintain firmware boot controls and Secure Boot configuration hygiene.
Treat untrusted bootable media and filesystem images as high risk.
Validation and detection
Inventory systems using GRUB2 and record package source and version.
Compare installed packages against vendor CVE-2025-0678 guidance.
Confirm whether the deployed GRUB2 includes squash4 filesystem support.
Review controls around local administrative access and boot media changes.
For Red Hat estates, confirm products match the listed unaffected statuses.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-190: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-190 · source CWE mapping
Integer Overflow or Wraparound
Integer Overflow or Wraparound represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.