CVE-2025-4382

CVE-2025-4382 is a vulnerability in GRUB when configured to auto-decrypt LUKS-encrypted disks using TPM-stored keys. During boot, GRUB reads the decryption key into system memory. If an attacker with physical access corrupts the underlying filesystem superblock, GRUB fails to locate a valid filesystem and enters rescue mode, leaving the decryption key loaded in memory [1].

Attack scenario

An attacker with physical access can force a filesystem corruption to trigger the rescue shell. In this state the key is still present, and the attacker can use GRUB's command-line interface to read the decrypted disk without further authentication [1][3]. The vulnerability stems from GRUB's rescue mode not being restricted when the TPM-provided key has already unlocked the disk [2].

Impact

The primary impact is the compromise of disk encryption confidentiality, as the attacker can access all data on the decrypted volume. Additionally, the ability to force rescue mode by corrupting the superblock also represents a data integrity concern [1].

Mitigation

A patch has been developed and merged into the GRUB source tree. The fix modifies the rescue reader to check a new condition (grub_is_cli_need_auth()) and stall if authentication is required [2]. Red Hat has acknowledged the issue and is working on updated packages [1][3]. Users are advised to apply the patch or restrict physical access to affected systems until updates are available.