Grub2: fs/hfs: strcpy() using the volume name (fs/hfs.c:382)

Vulnerability

A flaw exists in the HFS filesystem driver of GRUB2. When mounting an HFS volume, the function grub_fs_mount() calls strcpy() to copy the user-provided volume name into a fixed-size heap buffer without validating the length of the name [1][2]. This results in a heap-based out-of-bounds write. The vulnerability affects GRUB2 versions that include the HFS driver; the flaw was identified in code path fs/hfs.c:382 [2]. No specific version range was disclosed in the available references, but any GRUB2 build that supports the HFS filesystem is potentially impacted.

Exploitation

An attacker requires physical access to the system or the ability to boot a maliciously crafted HFS filesystem image. By supplying an overly long volume name on the HFS volume, the attacker can trigger the out-of-bounds write when GRUB attempts to read the volume during mount [2]. No authentication or special privileges are needed beyond the ability to modify or provide a custom boot medium.

Impact

Successful exploitation corrupts heap memory, potentially altering GRUB's sensitive data structures. This can lead to a bypass of secure boot protections, allowing an attacker to execute arbitrary code during the boot process with elevated privileges [1][2]. The integrity, confidentiality, and availability of the system can be compromised.

Mitigation

As of the publication date (2025-03-03), no fixed version has been officially released or announced in the available references [1][2]. Users should monitor the vendor's security advisories for patch availability. A workaround is to disable the HFS filesystem driver in the GRUB configuration if not required, or use only signed and trusted boot media. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. If no fix is provided in a timely manner, consider using an alternative bootloader that does not include the HFS driver.