VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 3, 2021· Updated Aug 4, 2024

CVE-2020-25647

CVE-2020-25647

Description

An out-of-bounds write in grub2's USB device initialization prior to 2.06 allows local attackers with USB access to bypass Secure Boot.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds write in grub2's USB device initialization prior to 2.06 allows local attackers with USB access to bypass Secure Boot.

Vulnerability

An out-of-bounds write flaw exists in the grub_usb_device_initialize() function in grub2 versions prior to 2.06. During USB device initialization, the function reads descriptors from the USB device with minimal bounds checking, assuming the device will provide valid data. If a malicious USB device is attached, the lack of validation can trigger memory corruption. This issue affects all grub2 versions before 2.06 [1][3].

Exploitation

An attacker must have physical access to the target system and the ability to boot from or attach a malicious USB device during the boot process. No authentication is required. The attacker crafts a USB device that presents specially crafted descriptors to the UEFI firmware or GRUB during initialization, causing the code to write out of bounds [1]. The vulnerability can be triggered without user interaction beyond the system booting with the malicious device attached [1].

Impact

Successful exploitation allows arbitrary code execution within the GRUB environment, which can be used to bypass the UEFI Secure Boot mechanism. This compromises data confidentiality, integrity, and system availability, as an attacker could execute unsigned code and gain full control over the boot process [1][3].

Mitigation

The issue is resolved in grub2 version 2.06 and later [1][3]. Red Hat has addressed the vulnerability in specific RHEL releases via RHSA-2021 advisory [1]. Gentoo recommends upgrading to >=sys-devel/grub-2.06_rc1 [3]. If upgrading is not possible, no workaround is known [3]. Users must also run grub-install after upgrading to ensure the fix is applied [3].

References
  1. 1886936 – (CVE-2020-25647) CVE-2020-25647 grub2: Out-of-bounds write in grub_usb_device_initialize()
  2. Multiple vulnerabilities (GLSA 202104-05) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

4

News mentions

0

No linked articles in our index yet.