{"id":"UBUNTU-CVE-2025-4382","details":"A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern.","modified":"2026-05-20T16:23:29.441070066Z","published":"2025-05-09T12:15:00Z","upstream":["CVE-2025-4382"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-4382"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2025-4382"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ed691c0e0e20d9d0e8d8305a120e8c61d6be3d38"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=7a584fbde0c339816a57d55fc165a854039cf0b2"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=10d778c4b4d56cc36836d86a9698bc5272b12101"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=23ec4535f40dc53f68d2709f8fb44af571431ca7"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=301b4ef25a8fafaeba48498e97efd28bd2809f97"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=dbc0eb5bd1f40de9b394e3a86e84f46c39a23e40"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=73d1c959ea3417e9309ba8c6102d7d6dc7c94259"},{"type":"REPORT","url":"https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=bb65d81fe320e4b20d0a9b32232a7546eb275ecc"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2025-4382"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2364416"}],"affected":[{"package":{"name":"grub2","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/grub2?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.00-19ubuntu2","2.00-19ubuntu3","2.00-19ubuntu4","2.00-20","2.00-21","2.00-22","2.02~beta2-5","2.02~beta2-6","2.02~beta2-7","2.02~beta2-8","2.02~beta2-9","2.02~beta2-9ubuntu1","2.02~beta2-9ubuntu1.1","2.02~beta2-9ubuntu1.2","2.02~beta2-9ubuntu1.3","2.02~beta2-9ubuntu1.4","2.02~beta2-9ubuntu1.5","2.02~beta2-9ubuntu1.6","2.02~beta2-9ubuntu1.7","2.02~beta2-9ubuntu1.8","2.02~beta2-9ubuntu1.11","2.02~beta2-9ubuntu1.12","2.02~beta2-9ubuntu1.14","2.02~beta2-9ubuntu1.15","2.02~beta2-9ubuntu1.16","2.02~beta2-9ubuntu1.17","2.02~beta2-9ubuntu1.20","2.02~beta2-9ubuntu1.21"],"ecosystem_specific":{"binaries":[{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-common"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-coreboot"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-coreboot-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm"},{"binary_name":"grub-efi-arm-bin","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_name":"grub-efi-arm64","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-ia32"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-ia32-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-emu"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-firmware-qemu"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-ieee1275"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-ieee1275-bin"},{"binary_name":"grub-linuxbios","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-pc"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-pc-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-rescue-pc"},{"binary_name":"grub-theme-starfield","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_name":"grub-uboot","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_name":"grub-uboot-bin","binary_version":"2.02~beta2-9ubuntu1.21"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-xen"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub-xen-bin"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub2"},{"binary_version":"2.02~beta2-9ubuntu1.21","binary_name":"grub2-common"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=esm-infra-legacy%2Ftrusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.22","1.23","1.24","1.25","1.26","1.27","1.30","1.31","1.32","1.33","1.34","1.34.1","1.34.2","1.34.3","1.34.4","1.34.5","1.34.6","1.34.7","1.34.8","1.34.9","1.34.13","1.34.14","1.34.16","1.34.17","1.34.18","1.34.20","1.34.22","1.34.24"],"ecosystem_specific":{"binaries":[{"binary_version":"1.34.24+2.02~beta2-9ubuntu1.21","binary_name":"grub-efi-amd64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.55","1.56","1.57","1.58","1.59","1.61","1.62","1.63","1.64","1.65","1.66","1.66.1","1.66.2","1.66.6","1.66.7","1.66.8","1.66.9","1.66.11","1.66.12","1.66.14","1.66.15","1.66.16","1.66.17","1.66.18","1.66.19","1.66.20","1.66.21","1.66.22","1.66.23","1.66.26","1.66.27","1.66.28","1.66.29","1.167~16.04.1","1.167~16.04.2","1.167~16.04.4","1.167~16.04.6"],"ecosystem_specific":{"binaries":[{"binary_name":"grub-efi-amd64-signed","binary_version":"1.167~16.04.6+2.04-1ubuntu44.1.2"},{"binary_name":"grub-efi-arm64-signed","binary_version":"1.167~16.04.6+2.04-1ubuntu44.1.2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.1","2.04-1ubuntu44.1.2"],"ecosystem_specific":{"binaries":[{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64"},{"binary_version":"2.04-1ubuntu44.1.2","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.85","1.86","1.87","1.89","1.91","1.92","1.93","1.93.1","1.93.2","1.93.3","1.93.4","1.93.5","1.93.7","1.93.8","1.93.10","1.93.11","1.93.13","1.93.14","1.93.15","1.93.16","1.93.18","1.93.19","1.93.20","1.93.21","1.93.22","1.93.24","1.167~18.04.1","1.167~18.04.3","1.167~18.04.5","1.173.2~18.04.1","1.187.2~18.04.1","1.187.3~18.04.1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.3~18.04.1+2.06-2ubuntu14.1","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.187.3~18.04.1+2.06-2ubuntu14.1","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.1","2.04-1ubuntu44.1.2","2.04-1ubuntu47.4","2.06-2ubuntu14","2.06-2ubuntu14.1"],"ecosystem_specific":{"binaries":[{"binary_name":"grub-efi-amd64","binary_version":"2.06-2ubuntu14.1"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-arm64"},{"binary_version":"2.06-2ubuntu14.1","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.128","1.129","1.130","1.131","1.133","1.134","1.135","1.136","1.137","1.138","1.139","1.140","1.141","1.142","1.142.1","1.142.3","1.142.4","1.142.5","1.142.6","1.142.8","1.142.9","1.142.10","1.142.11","1.167","1.167.2","1.173.2~20.04.1","1.173.4","1.187.2~20.04.2","1.187.3~20.04.1","1.187.4~20.04.1","1.187.6~20.04.1","1.187.12~20.04"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.12~20.04+2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.187.12~20.04+2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu44","2.04-1ubuntu44.2","2.04-1ubuntu47.4","2.04-1ubuntu47.5","2.06-2ubuntu14","2.06-2ubuntu14.1","2.06-2ubuntu14.2","2.06-2ubuntu14.4","2.06-2ubuntu14.8"],"ecosystem_specific":{"binaries":[{"binary_name":"grub-efi-amd64","binary_version":"2.06-2ubuntu14.8"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-bin"},{"binary_name":"grub-efi-arm64","binary_version":"2.06-2ubuntu14.8"},{"binary_name":"grub-efi-arm64-bin","binary_version":"2.06-2ubuntu14.8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.173","1.174","1.176","1.177","1.178","1.179","1.180","1.182~22.04.1","1.187.2","1.187.3~22.04.1","1.187.4~22.04.1","1.187.6","1.187.12"],"ecosystem_specific":{"binaries":[{"binary_version":"1.187.12+2.06-2ubuntu14.8","binary_name":"grub-efi-amd64-signed"},{"binary_name":"grub-efi-arm64-signed","binary_version":"1.187.12+2.06-2ubuntu14.8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.04-1ubuntu47","2.04-1ubuntu48","2.06-2ubuntu3","2.06-2ubuntu4","2.06-2ubuntu5","2.06-2ubuntu6","2.06-2ubuntu7","2.06-2ubuntu10","2.06-2ubuntu14","2.06-2ubuntu14.1","2.06-2ubuntu14.2","2.06-2ubuntu14.4","2.06-2ubuntu14.8"],"ecosystem_specific":{"binaries":[{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-amd64"},{"binary_name":"grub-efi-amd64-bin","binary_version":"2.06-2ubuntu14.8"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64"},{"binary_version":"2.06-2ubuntu14.8","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.197","1.199","1.201","1.202","1.202.2","1.202.5"],"ecosystem_specific":{"binaries":[{"binary_version":"1.202.5+2.12-1ubuntu7.3","binary_name":"grub-efi-amd64-signed"},{"binary_name":"grub-efi-arm64-signed","binary_version":"1.202.5+2.12-1ubuntu7.3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12~rc1-10ubuntu4","2.12~rc1-12ubuntu2","2.12-1ubuntu1","2.12-1ubuntu7","2.12-1ubuntu7.1","2.12-1ubuntu7.3"],"ecosystem_specific":{"binaries":[{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-amd64"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-arm64"},{"binary_version":"2.12-1ubuntu7.3","binary_name":"grub-efi-arm64-bin"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.212","1.213","1.214"],"ecosystem_specific":{"binaries":[{"binary_name":"grub-efi-amd64-signed","binary_version":"1.214+2.14~git20250718.0e36779-1ubuntu4"},{"binary_version":"1.214+2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.12-5ubuntu11","2.14~git20250718.0e36779-1ubuntu1","2.14~git20250718.0e36779-1ubuntu4"],"ecosystem_specific":{"binaries":[{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-amd64-bin"},{"binary_name":"grub-efi-amd64-unsigned","binary_version":"2.14~git20250718.0e36779-1ubuntu4"},{"binary_name":"grub-efi-arm64","binary_version":"2.14~git20250718.0e36779-1ubuntu4"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.14~git20250718.0e36779-1ubuntu4","binary_name":"grub-efi-arm64-unsigned"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-signed","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/grub2-signed?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.214","1.215"],"ecosystem_specific":{"binaries":[{"binary_version":"1.215+2.14-2ubuntu1","binary_name":"grub-efi-amd64-signed"},{"binary_version":"1.215+2.14-2ubuntu1","binary_name":"grub-efi-arm64-signed"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}},{"package":{"name":"grub2-unsigned","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/grub2-unsigned?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.14~git20250718.0e36779-1ubuntu4","2.14-2ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"grub-efi-amd64","binary_version":"2.14-2ubuntu1"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-amd64-bin"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-amd64-unsigned"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64-bin"},{"binary_version":"2.14-2ubuntu1","binary_name":"grub-efi-arm64-unsigned"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-4382.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}