RLSA-2025:16154
- Source
- https://errata.rockylinux.org/RLSA-2025:16154
- Import Source
- https://storage.googleapis.com/resf-osv-data/RLSA-2025:16154.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/RLSA-2025:16154
- Upstream
- Published
- 2025-10-03T19:57:04.772748Z
- Modified
- 2025-10-08T17:12:51.571936Z
- Severity
-
- 6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Moderate: grub2 security update
- Details
-
The grub2 packages provide version 2 of the Grand Unified Boot Loader (GRUB), a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices.
Security Fix(es):
grub2: grub-core/gettext: Integer overflow leads to Heap OOB Write and Read. (CVE-2024-45776)
grub2: fs/ufs: OOB write in the heap (CVE-2024-45781)
grub2: command/gpg: Use-after-free due to hooks not being removed on module unload (CVE-2025-0622)
grub2: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks (CVE-2025-0677)
grub2: commands/dump: The dump command is not in lockdown when secure boot is enabled (CVE-2025-1118)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- References
-
- https://errata.rockylinux.org/RLSA-2025:16154
- https://bugzilla.redhat.com/show_bug.cgi?id=2339182
- https://bugzilla.redhat.com/show_bug.cgi?id=2345857
- https://bugzilla.redhat.com/show_bug.cgi?id=2345865
- https://bugzilla.redhat.com/show_bug.cgi?id=2346116
- https://bugzilla.redhat.com/show_bug.cgi?id=2346137
- Credits
-
-
- Rocky Enterprise Software Foundation
-
- Red Hat
-
Affected packages
Rocky Linux:10 / grub2
Package
- Name
- grub2
- Purl
- pkg:rpm/rocky-linux/grub2?distro=rocky-linux-10-0&epoch=1