CVE-2025-0684

Name	CVE-2025-0684
Description	A flaw was found in grub2. When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with a overflown length parameter, leading to a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and can result in arbitrary code execution, by-passing secure boot protections.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1098319

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
grub2 (PTS)	bullseye (security), bullseye	2.06-3~deb11u6	vulnerable
	bookworm, bookworm (security)	2.06-13+deb12u1	vulnerable
	forky, trixie	2.12-9	fixed
	sid	2.14~git20250718.0e36779-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
grub2	source	(unstable)	2.12-6			1098319

Notes

[bookworm] - grub2 <no-dsa> (Minor issue, will be fixed via point release)
https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html
https://www.openwall.com/lists/oss-security/2025/02/18/3