GRUB2: avoid loading unsigned kernels when GRUB is booted directly under secureboot without shim
Description
GRUB2 fails to validate kernel signature when booted directly without shim, allowing Secure Boot bypass on systems with imported kernel signing certificates.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GRUB2 fails to validate kernel signature when booted directly without shim, allowing Secure Boot bypass on systems with imported kernel signing certificates.
Vulnerability
GRUB2 versions 2.04 and prior fail to validate the kernel signature when the bootloader is invoked directly without the shim intermediate. This occurs on systems where the kernel signing certificate has been imported directly into the UEFI Secure Boot database (db). The code path that performs signature verification is skipped, allowing any kernel—including unsigned or malicious ones—to be loaded and executed. [1][2]
Exploitation
An attacker must first gain the ability to modify the boot configuration or replace the kernel image on the target system. This can be achieved through physical access, remote root access, or by compromising a network boot (PXE) environment. Once the attacker places a malicious kernel (or modifies the GRUB configuration to load one), the system will boot it without signature verification because GRUB2 does not enforce the check when booted directly without shim. [1][4]
Impact
Successful exploitation bypasses UEFI Secure Boot protections, allowing the attacker to execute arbitrary code during the boot process. This can lead to persistent, stealthy bootkits that give near-total control over the victim device, including the ability to tamper with the operating system and evade detection. [1]
Mitigation
The vulnerability is inherent in GRUB2 2.04 and prior. The fix requires updating to a patched version of GRUB2 that correctly validates kernel signatures even when booted without shim. Operating system vendors have released updated grub2 packages; users should apply these updates and ensure that the bootloader is signed with a valid certificate. Additionally, vulnerable bootloader versions should be revoked from the Secure Boot database to prevent rollback attacks. [2][4]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31- osv-coords29 versionspkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/grub2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/grub2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/grub2&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.02-lp151.21.27.1+ 28 more
- (no CPE)range: < 2.02-lp151.21.27.1
- (no CPE)range: < 2.04-lp152.7.9.1
- (no CPE)range: < 2.06-7.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-19.56.1
- (no CPE)range: < 2.02-19.56.1
- (no CPE)range: < 2.02-26.33.1
- (no CPE)range: < 2.04-9.15.1
- (no CPE)range: < 2.02-26.33.1
- (no CPE)range: < 2.04-9.15.1
- (no CPE)range: < 2.00-0.66.21.1
- (no CPE)range: < 2.02~beta2-115.56.1
- (no CPE)range: < 2.02~beta2-115.56.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-12.39.1
- (no CPE)range: < 2.02-12.39.1
- (no CPE)range: < 2.02-19.56.1
- (no CPE)range: < 2.02~beta2-115.56.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-12.39.1
- (no CPE)range: < 2.02-12.39.1
- (no CPE)range: < 2.02-19.56.1
- (no CPE)range: < 2.02~beta2-115.56.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-12.39.1
- (no CPE)range: < 2.02-4.61.1
- (no CPE)range: < 2.02-12.39.1
- Ubuntu/grub2 in Ubuntuv5Range: 20.04 LTS
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
20- lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.htmlmitrevendor-advisoryx_refsource_SUSE
- ubuntu.com/security/notices/USN-4432-1mitrevendor-advisoryx_refsource_UBUNTU
- access.redhat.com/security/vulnerabilities/grub2bootloadermitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/202104-05mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4432-1/mitrevendor-advisoryx_refsource_UBUNTU
- wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypassmitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020-GRUB-UEFI-SecureBootmitrevendor-advisoryx_refsource_DEBIAN
- www.suse.com/c/suse-addresses-grub2-secure-boot-issue/mitrevendor-advisoryx_refsource_SUSE
- www.suse.com/support/kb/doc/mitrevendor-advisoryx_refsource_SUSE
- www.openwall.com/lists/oss-security/2020/07/29/3mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/03/02/3mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/09/17/2mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/09/17/4mitremailing-listx_refsource_MLIST
- www.openwall.com/lists/oss-security/2021/09/21/1mitremailing-listx_refsource_MLIST
- lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.htmlmitrex_refsource_CONFIRM
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20200731-0008/mitrex_refsource_CONFIRM
- www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/mitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2020/07/29/3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.