GRUB2 contained integer overflows when handling the initrd command, leading to a heap-based buffer overflow.
Description
Integer overflow in GRUB2's efilinux initrd functions leads to heap buffer overflow, enabling arbitrary code execution and Secure Boot bypass on 32-bit or crafted filesystems.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in GRUB2's efilinux initrd functions leads to heap buffer overflow, enabling arbitrary code execution and Secure Boot bypass on 32-bit or crafted filesystems.
Vulnerability
Integer overflow vulnerabilities exist in the functions grub_cmd_initrd and grub_initrd_init within the efilinux component of GRUB2, as shipped in Debian, Red Hat, and Ubuntu (this functionality is not included in upstream GRUB2) [1][2][3]. The overflow occurs when handling an extremely large number of arguments to the initrd command on 32-bit architectures, or when processing a crafted filesystem with very large files on any architecture [description]. This leads to a heap-based buffer overflow. Affected versions include GRUB2 version 2.04 and prior [description].
Exploitation
An attacker requires either local administrative privileges or physical access to the system to trigger the vulnerability [1][3]. On 32-bit systems, the attacker can supply an extremely large number of arguments to the initrd command. On any architecture, the attacker can craft a filesystem containing very large files that, when processed by GRUB2, cause the integer overflow. The overflow results in a heap-based buffer overflow, allowing the attacker to inject malicious payload [1][2].
Impact
Successful exploitation allows arbitrary code execution within the GRUB2 bootloader, bypassing UEFI Secure Boot restrictions [1][2][3]. The attacker can install persistent bootkits or malicious bootloaders, gaining near-total control over the victim device [1]. This compromises the integrity of the boot chain and can lead to full system compromise.
Mitigation
Fixed versions have been released by affected distributions: Ubuntu [2], Red Hat [3], and Debian. Users should update their grub2 packages to the latest patched versions. Additionally, new signed bootloaders must be deployed and vulnerable bootloaders revoked to prevent adversaries from using older versions [1]. There is no workaround for the flaw [3]. The vulnerability is part of the "BootHole" set of CVEs, and mitigation requires coordinated updates across the ecosystem [1][4].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
31- osv-coords29 versionspkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/grub2&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/grub2&distro=openSUSE%20Tumbleweedpkg:rpm/suse/grub2&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/grub2&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/grub2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2.02-lp151.21.21.4+ 28 more
- (no CPE)range: < 2.02-lp151.21.21.4
- (no CPE)range: < 2.04-lp152.7.3.4
- (no CPE)range: < 2.06-7.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02-26.25.1
- (no CPE)range: < 2.04-9.7.1
- (no CPE)range: < 2.02-26.25.1
- (no CPE)range: < 2.04-9.7.1
- (no CPE)range: < 2.00-0.66.15.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-19.48.1
- (no CPE)range: < 2.02~beta2-115.49.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- (no CPE)range: < 2.02-4.53.1
- (no CPE)range: < 2.02-12.31.1
- Ubuntu/grub2 in Ubuntuv5Range: 20.04 LTS
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
17- lists.opensuse.org/opensuse-security-announce/2020-08/msg00016.htmlmitrevendor-advisoryx_refsource_SUSE
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00017.htmlmitrevendor-advisoryx_refsource_SUSE
- ubuntu.com/security/notices/USN-4432-1mitrevendor-advisoryx_refsource_UBUNTU
- access.redhat.com/security/vulnerabilities/grub2bootloadermitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/202104-05mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/4432-1/mitrevendor-advisoryx_refsource_UBUNTU
- wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypassmitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2020-GRUB-UEFI-SecureBootmitrevendor-advisoryx_refsource_DEBIAN
- www.debian.org/security/2020/dsa-4735mitrevendor-advisoryx_refsource_DEBIAN
- www.suse.com/c/suse-addresses-grub2-secure-boot-issue/mitrevendor-advisoryx_refsource_SUSE
- www.suse.com/support/kb/doc/mitrevendor-advisoryx_refsource_SUSE
- www.openwall.com/lists/oss-security/2020/07/29/3mitremailing-listx_refsource_MLIST
- lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.htmlmitrex_refsource_CONFIRM
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20200731-0008/mitrex_refsource_CONFIRM
- www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/mitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2020/07/29/3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.