{"id":"UBUNTU-CVE-2025-0686","details":"A flaw was found in grub2. When performing a symlink lookup from a romfs filesystem, grub's romfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the grub_romfs_read_symlink() may cause out-of-bounds writes when the calling grub_disk_read() function. This issue may be leveraged to corrupt grub's internal critical data and can result in arbitrary code execution by-passing secure boot protections.","modified":"2026-04-27T18:51:17.965431Z","published":"2025-02-18T18:00:00Z","upstream":["CVE-2025-0686"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-0686"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-0686"}],"affected":[{"package":{"name":"grub2","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/grub2@2.02~beta2-9ubuntu1.21?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.00-19ubuntu2","2.00-19ubuntu3","2.00-19ubuntu4","2.00-20","2.00-21","2.00-22","2.02~beta2-5","2.02~beta2-6","2.02~beta2-7","2.02~beta2-8","2.02~beta2-9","2.02~beta2-9ubuntu1","2.02~beta2-9ubuntu1.1","2.02~beta2-9ubuntu1.2","2.02~beta2-9ubuntu1.3","2.02~beta2-9ubuntu1.4","2.02~beta2-9ubuntu1.5","2.02~beta2-9ubuntu1.6","2.02~beta2-9ubuntu1.7","2.02~beta2-9ubuntu1.8","2.02~beta2-9ubuntu1.11","2.02~beta2-9ubuntu1.12","2.02~beta2-9ubuntu1.14","2.02~beta2-9ubuntu1.15","2.02~beta2-9ubuntu1.16","2.02~beta2-9ubuntu1.17","2.02~beta2-9ubuntu1.20","2.02~beta2-9ubuntu1.21"],"ecosystem_specific":{"binaries":[{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-common"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-coreboot"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-coreboot-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm64"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-ia32"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-ia32-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-emu"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-firmware-qemu"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-ieee1275"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-ieee1275-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-linuxbios"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-pc"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-pc-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-rescue-pc"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-theme-starfield"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-uboot"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-uboot-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-xen"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-xen-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub2"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub2-common"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.34.24?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.22","1.23","1.24","1.25","1.26","1.27","1.30","1.31","1.32","1.33","1.34","1.34.1","1.34.2","1.34.3","1.34.4","1.34.5","1.34.6","1.34.7","1.34.8","1.34.9","1.34.13","1.34.14","1.34.16","1.34.17","1.34.18","1.34.20","1.34.22","1.34.24"],"ecosystem_specific":{"binaries":[{"binary_version":"1.34.24+2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.167~16.04.6?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.55","1.56","1.57","1.58","1.59","1.61","1.62","1.63","1.64","1.65","1.66","1.66.1","1.66.2","1.66.6","1.66.7","1.66.8","1.66.9","1.66.11","1.66.12","1.66.14","1.66.15","1.66.16","1.66.17","1.66.18","1.66.19","1.66.20","1.66.21","1.66.22","1.66.23","1.66.26","1.66.27","1.66.28","1.66.29","1.167~16.04.1","1.167~16.04.2","1.167~16.04.4","1.167~16.04.6"],"ecosystem_specific":{"binaries":[{"binary_version":"1.167~16.04.6+2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.167~16.04.6+2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.04-1ubuntu44.1.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.1","2.04-1ubuntu44.1.2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.187.3~18.04.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.85","1.86","1.87","1.89","1.91","1.92","1.93","1.93.1","1.93.2","1.93.3","1.93.4","1.93.5","1.93.7","1.93.8","1.93.10","1.93.11","1.93.13","1.93.14","1.93.15","1.93.16","1.93.18","1.93.19","1.93.20","1.93.21","1.93.22","1.93.24","1.167~18.04.1","1.167~18.04.3","1.167~18.04.5","1.173.2~18.04.1","1.187.2~18.04.1","1.187.3~18.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.3~18.04.1+2.06-2ubuntu14.1","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.187.3~18.04.1+2.06-2ubuntu14.1","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.06-2ubuntu14.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.1","2.04-1ubuntu44.1.2","2.04-1ubuntu47.4","2.06-2ubuntu14","2.06-2ubuntu14.1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-amd64"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-arm64"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.187.12~20.04?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.128","1.129","1.130","1.131","1.133","1.134","1.135","1.136","1.137","1.138","1.139","1.140","1.141","1.142","1.142.1","1.142.3","1.142.4","1.142.5","1.142.6","1.142.8","1.142.9","1.142.10","1.142.11","1.167","1.167.2","1.173.2~20.04.1","1.173.4","1.187.2~20.04.2","1.187.3~20.04.1","1.187.4~20.04.1","1.187.6~20.04.1","1.187.12~20.04"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.12~20.04+2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.187.12~20.04+2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.06-2ubuntu14.8?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.2","2.04-1ubuntu47.4","2.04-1ubuntu47.5","2.06-2ubuntu14","2.06-2ubuntu14.1","2.06-2ubuntu14.2","2.06-2ubuntu14.4","2.06-2ubuntu14.8"],"ecosystem_specific":{"binaries":[{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.187.12?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.173","1.174","1.176","1.177","1.178","1.179","1.180","1.182~22.04.1","1.187.2","1.187.3~22.04.1","1.187.4~22.04.1","1.187.6","1.187.12"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.12+2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.187.12+2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.06-2ubuntu14.8?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu47","2.04-1ubuntu48","2.06-2ubuntu3","2.06-2ubuntu4","2.06-2ubuntu5","2.06-2ubuntu6","2.06-2ubuntu7","2.06-2ubuntu10","2.06-2ubuntu14","2.06-2ubuntu14.1","2.06-2ubuntu14.2","2.06-2ubuntu14.4","2.06-2ubuntu14.8"],"ecosystem_specific":{"binaries":[{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed@1.202.5?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.197","1.199","1.201","1.202","1.202.2","1.202.5"],"ecosystem_specific":{"binaries":[{"binary_version":"1.202.5+2.12-1ubuntu7.3","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.202.5+2.12-1ubuntu7.3","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned@2.12-1ubuntu7.3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12~rc1-10ubuntu4","2.12~rc1-12ubuntu2","2.12-1ubuntu1","2.12-1ubuntu7","2.12-1ubuntu7.1","2.12-1ubuntu7.3"],"ecosystem_specific":{"binaries":[{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-amd64"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-arm64"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/grub2-signed@1.214?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.212","1.213","1.214"],"ecosystem_specific":{"binaries":[{"binary_version":"1.214+2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.214+2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/grub2-unsigned@2.14~git20250718.0e36779-1ubuntu4?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12-5ubuntu11","2.14~git20250718.0e36779-1ubuntu1","2.14~git20250718.0e36779-1ubuntu4"],"ecosystem_specific":{"binaries":[{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64-unsigned"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-unsigned"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/grub2-signed@1.215?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.214","1.215"],"ecosystem_specific":{"binaries":[{"binary_version":"1.215+2.14-2ubuntu1","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.215+2.14-2ubuntu1","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:26.04","purl":"pkg:deb/ubuntu/grub2-unsigned@2.14-2ubuntu1?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.14~git20250718.0e36779-1ubuntu4","2.14-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-amd64"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-amd64-unsigned"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64-unsigned"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-0686.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}