DescriptionGRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grub2 (PTS)stretch2.02~beta3-5+deb9u2fixed
buster, buster (security)2.02+dfsg1-20+deb10u2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
grub2source(unstable)(not affected)


- grub2 <not-affected> (Vulnerable code specific in Ubuntu)
Debian's grub_linuxefi_secure_validate has different interface than the one in
Ubuntu and returns the code from "shim not available" and "kernel signature
verification failed". The patch for CVE-2020-15705 is essentially about handling
those two cases in the same way when they were previously handled differently,
and so not a problem for src:grub2 in Debian.

Search for package or bug name: Reporting problems