GRUB2 contains a race condition leading to a use-after-free vulnerability which can be triggered by redefining a function whilst the same function is already executing.
Description
GRUB2 2.04 and prior have a race condition in grub_script_function_create() leading to use-after-free, enabling arbitrary code execution and Secure Boot bypass.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
GRUB2 2.04 and prior have a race condition in grub_script_function_create() leading to use-after-free, enabling arbitrary code execution and Secure Boot bypass.
Vulnerability
GRUB2 versions 2.04 and earlier contain a race condition in the grub_script_function_create() function [4]. When a function is redefined while it is already executing, a use-after-free condition occurs. This vulnerability (CVE-2020-15706) affects all operating systems using GRUB2 with Secure Boot, including virtually every Linux distribution and Windows devices using the Microsoft Third Party UEFI CA [1].
Exploitation
An attacker must first establish access to the system, such as gaining physical access, modifying a PXE-boot network, or having remote root access on a networked system [3]. The attacker then triggers the race condition by redefining a GRUB2 function during its execution. This requires a crafted grub.cfg file or similar boot script manipulation. The race window allows a use-after-free to be exploited, leading to arbitrary code execution within the GRUB2 environment [4].
Impact
Successful exploitation yields arbitrary code execution during the boot process. The attacker can bypass UEFI Secure Boot, load unsigned boot modules, and install persistent bootkits or malicious bootloaders [1]. This gives near-total control over the victim device, with high impact on confidentiality, integrity, and availability (CVSS 6.4) [4].
Mitigation
Red Hat states there is no direct mitigation for the flaw [3]. The fix is to update GRUB2 packages to patched versions provided by Linux distributions. Eclypsium coordinated disclosure with OS vendors, and updates have been released by major distros such as Ubuntu [2]. Additionally, new signed bootloaders must be deployed and vulnerable bootloaders revoked to prevent rollback attacks [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31- osv-coords29 versionspkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/grub2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/grub2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/grub2&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.02-lp151.21.21.4+ 28 more
- (no CPE)range: < 2.02-lp151.21.21.4
- (no CPE)range: < 2.04-lp152.7.3.4
- (no CPE)range: < 2.06-7.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02-26.25.1
- (no CPE)range: < 2.04-9.7.1
- (no CPE)range: < 2.02-26.25.1
- (no CPE)range: < 2.04-9.7.1
- (no CPE)range: < 2.00-0.66.15.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- Ubuntu/grub2 in Ubuntuv5Range: 20.04 LTS
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
17- lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.htmlmitrevendor-advisoryx_refsource_SUSE
- ubuntu.com/security/notices/USN-4432-1mitrevendor-advisoryx_refsource_UBUNTU
- access.redhat.com/security/vulnerabilities/grub2bootloadermitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/202104-05mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4432-1/mitrevendor-advisoryx_refsource_UBUNTU
- wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypassmitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020-GRUB-UEFI-SecureBootmitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4735mitrevendor-advisoryx_refsource_DEBIAN
- www.suse.com/c/suse-addresses-grub2-secure-boot-issue/mitrevendor-advisoryx_refsource_SUSE
- www.suse.com/support/kb/doc/mitrevendor-advisoryx_refsource_SUSE
- www.openwall.com/lists/oss-security/2020/07/29/3mitremailing-listx_refsource_MLIST
- lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.htmlmitrex_refsource_CONFIRM
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20200731-0008/mitrex_refsource_CONFIRM
- www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/mitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2020/07/29/3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.