Grub2: bypass the grub password protection feature
Description
An authentication bypass in Red Hat's GRUB2 allows an attacker with physical USB access to bypass password protection by using a duplicate UUID on an external drive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass in Red Hat's GRUB2 allows an attacker with physical USB access to bypass password protection by using a duplicate UUID on an external drive.
Vulnerability
An authentication bypass flaw exists in Red Hat's downstream version of GRUB2 (grub2-2.06-70.el9_3.2 and earlier) due to the way GRUB uses the UUID of a device to locate the configuration file containing the password hash for its password protection feature [4]. The issue was introduced in a downstream patch and does not affect upstream GRUB. On UEFI systems, GRUB enumerates removable drives before non-removable ones; if an attacker attaches an external drive (e.g., USB stick) with a file system that has the same UUID as the /boot/ file system, GRUB will read the configuration file from the attacker-controlled drive instead of the legitimate one [1][2][3][4].
Exploitation
An attacker must have physical access to the system and be able to attach an external storage device, such as a USB stick, containing a file system with a UUID identical to that of the /boot/ file system [4]. The system must be using UEFI boot and have GRUB password protection enabled. When the system boots, GRUB enumerates removable drives before fixed drives, reads the configuration from the external drive due to the duplicate UUID, and thus loads an attacker-controlled configuration file that can omit the password prompt or provide a known password hash [1][2][3][4].
Impact
Successful exploitation allows an attacker to bypass the GRUB password protection mechanism, gaining unauthorized access to the system's boot process [4]. This could enable the attacker to boot into single-user mode or modify boot parameters, potentially compromising the entire system's integrity and confidentiality. The attack does not require authentication or user interaction beyond attaching the external drive [4].
Mitigation
Red Hat has released updated packages in RHSA-2024:0468, RHSA-2024:0456, and RHSA-2024:0437 to fix this issue [1][2][3]. The fixed version is grub2-2.06-70.el9_3.2 or later [1]. Systems should be updated via the Red Hat Enterprise Linux update mechanism. No workaround is available; mitigation relies on applying the patch. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20cpe:/o:redhat:enterprise_linux:8+ 1 more
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:9::baseosrange: 1:2.06-70.el9_3.2
- Red Hat/Red Hat Enterprise Linux 9.0 Extended Update Supportv5cpe:/o:redhat:rhel_eus:9.0::baseosRange: 1:2.06-27.el9_0.16
- Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5cpe:/o:redhat:rhel_eus:9.2::baseosRange: 1:2.06-61.el9_2.2
- osv-coords15 versionspkg:rpm/almalinux/grub2-commonpkg:rpm/almalinux/grub2-efi-aa64pkg:rpm/almalinux/grub2-efi-aa64-cdbootpkg:rpm/almalinux/grub2-efi-aa64-modulespkg:rpm/almalinux/grub2-efi-x64pkg:rpm/almalinux/grub2-efi-x64-cdbootpkg:rpm/almalinux/grub2-efi-x64-modulespkg:rpm/almalinux/grub2-pcpkg:rpm/almalinux/grub2-pc-modulespkg:rpm/almalinux/grub2-ppc64lepkg:rpm/almalinux/grub2-ppc64le-modulespkg:rpm/almalinux/grub2-toolspkg:rpm/almalinux/grub2-tools-efipkg:rpm/almalinux/grub2-tools-extrapkg:rpm/almalinux/grub2-tools-minimal
< 1:2.06-70.el9_3.2.alma.1+ 14 more
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
- (no CPE)range: < 1:2.06-70.el9_3.2.alma.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/errata/RHSA-2024:0437mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0456mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0468mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/security/cve/CVE-2023-4001mitrevdb-entryx_refsource_REDHAT
- bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
- dfir.ru/2024/01/15/cve-2023-4001-a-vulnerability-in-the-downstream-grub-boot-manager/mitre
News mentions
0No linked articles in our index yet.