CVE-2025-0684: Grub2: reiserfs: integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data
A flaw was found in grub2. When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with a overflown length parameter, leading to a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and can result in arbitrary code execution, by-passing secure boot protections.
Security readout for executives and security teams
Plain-English summary
CVE-2025-0684 is a GRUB2 bootloader flaw involving crafted reiserfs filesystem data. In the right local attack scenario, it could corrupt bootloader memory and potentially bypass Secure Boot. The sources rate it medium because exploitation requires local, high-privilege conditions and high complexity.
Executive priority
Track this as a moderate boot-chain risk. It is not an internet-facing emergency, but it matters for laptops, servers, appliances, and secure-boot-dependent environments where attackers may gain privileged local access or influence boot media.
Technical view
During reiserfs symlink lookup, GRUB2 uses filesystem-controlled geometry values to size internal buffers. Insufficient integer-overflow checks can cause undersized allocation, followed by a heap out-of-bounds write in symlink reading. The stated impact is possible arbitrary code execution in GRUB and Secure Boot bypass.
Likely exposure
Exposure is most plausible where GRUB2 can access a maliciously crafted reiserfs filesystem during boot. Red Hat lists RHEL 7-10 and OpenShift Container Platform 4 as unaffected. Sources do not establish impact for other downstream GRUB2 builds.
Exploitation context
No KEV listing and no provided source reports active exploitation. Attack conditions are local, high complexity, high privileges, and no user interaction. Successful exploitation could affect confidentiality, integrity, and availability and may bypass Secure Boot protections.
Researcher notes
The provided record does not name a fixed version or universal affected-version range. Red Hat marks listed enterprise products unaffected. Researchers should avoid broad product claims and focus validation on whether a specific GRUB2 build includes reachable reiserfs symlink parsing code.
Mitigation direction
Check your OS or appliance vendor advisory for GRUB2 updates or applicability statements.
Prioritize bootloader updates if your vendor confirms affected GRUB2 reiserfs code is shipped.
Restrict administrative and physical access to systems using Secure Boot.
Limit boot from untrusted removable or external media where operationally possible.
Review boot-chain hardening and recovery procedures for high-assurance endpoints.
Validation and detection
Inventory systems and images that use GRUB2 as the bootloader.
Confirm whether GRUB2 reiserfs filesystem support is present in shipped boot media.
Compare installed GRUB2 package versions against vendor advisories.
Record Red Hat systems as unaffected only when matching the cited Red Hat products.
Monitor Red Hat Bugzilla and GNU GRUB development references for final patch guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
4Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-787 · source CWE mapping
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.