| Name | CVE-2025-4382 |
| Description | A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1105108 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| grub2 (PTS) | bullseye (security), bullseye | 2.06-3~deb11u6 | vulnerable |
| bookworm, bookworm (security) | 2.06-13+deb12u1 | vulnerable | |
| sid, trixie | 2.12-7 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| grub2 | source | (unstable) | (unfixed) | 1105108 |
Fixed by: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=c448f511e74cb7c776b314fcb7943f98d3f22b6d
Additional hardening via:
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ed691c0e0e20d9d0e8d8305a120e8c61d6be3d38
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=7a584fbde0c339816a57d55fc165a854039cf0b2
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=10d778c4b4d56cc36836d86a9698bc5272b12101
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=23ec4535f40dc53f68d2709f8fb44af571431ca7
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=301b4ef25a8fafaeba48498e97efd28bd2809f97
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=dbc0eb5bd1f40de9b394e3a86e84f46c39a23e40
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=73d1c959ea3417e9309ba8c6102d7d6dc7c94259
Option to block command line interface at build time introduced with:
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=bb65d81fe320e4b20d0a9b32232a7546eb275ecc
double check if vulnerability only considered present after grub_is_cli_disabled is introduced