Search for packages
| purl | pkg:deb/debian/grub2@2.06-3~deb11u6 |
| Next non-vulnerable version | 2.12-1~bpo12+1 |
| Latest non-vulnerable version | 2.12-1~bpo12+1 |
| Risk | 3.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1n1m-w2fg-bqha
Aliases: CVE-2025-0678 |
grub2: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data |
Affected by 0 other vulnerabilities. |
|
VCID-3eq9-kvj5-jya2
Aliases: CVE-2025-0690 |
grub2: read: Integer overflow may lead to out-of-bounds write |
Affected by 0 other vulnerabilities. |
|
VCID-3hgd-6nhb-qbfu
Aliases: CVE-2025-0684 |
grub2: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data |
Affected by 0 other vulnerabilities. |
|
VCID-3y7s-y777-9bce
Aliases: CVE-2025-0677 |
grub2: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks |
Affected by 0 other vulnerabilities. |
|
VCID-5a9t-t1gk-j7ba
Aliases: CVE-2025-0685 |
grub2: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data |
Affected by 0 other vulnerabilities. |
|
VCID-5mbv-3pzx-9fdf
Aliases: CVE-2024-45781 |
A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections. |
Affected by 0 other vulnerabilities. |
|
VCID-5msw-szj7-efg6
Aliases: CVE-2024-45778 |
A stack overflow flaw was found when reading a BFS file system. A crafted BFS filesystem may lead to an uncontrolled loop, causing grub2 to crash. |
Affected by 0 other vulnerabilities. |
|
VCID-5v25-3fq8-hbh7
Aliases: CVE-2024-45780 |
A flaw was found in grub2. When reading tar files, grub2 allocates an internal buffer for the file name. However, it fails to properly verify the allocation against possible integer overflows. It's possible to cause the allocation length to overflow with a crafted tar file, leading to a heap out-of-bounds write. This flaw eventually allows an attacker to circumvent secure boot protections. |
Affected by 0 other vulnerabilities. |
|
VCID-8vm3-vfkx-x3ay
Aliases: CVE-2025-1125 |
grub2: fs/hfs: Integer overflow may lead to heap based out-of-bounds write |
Affected by 0 other vulnerabilities. |
|
VCID-c63e-ytnu-hqcn
Aliases: CVE-2024-45783 |
A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access. |
Affected by 0 other vulnerabilities. |
|
VCID-f7zs-5hu5-7kgq
Aliases: CVE-2024-56737 |
grub2: heap-based buffer overflow |
Affected by 0 other vulnerabilities. |
|
VCID-g8dt-5s5d-2kaa
Aliases: CVE-2025-0624 |
grub2: net: Out-of-bounds write in grub_net_search_config_file() |
Affected by 0 other vulnerabilities. |
|
VCID-ht6b-33up-4qfv
Aliases: CVE-2025-0689 |
grub2: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution |
Affected by 0 other vulnerabilities. |
|
VCID-m97u-13fq-jfbw
Aliases: CVE-2025-1118 |
grub2: commands/dump: The dump command is not in lockdown when secure boot is enabled |
Affected by 0 other vulnerabilities. |
|
VCID-mfx5-q1cr-rbgb
Aliases: CVE-2025-0686 |
grub2: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading dat |
Affected by 0 other vulnerabilities. |
|
VCID-q4z6-cp3e-tfg4
Aliases: CVE-2024-45774 |
A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of overwriting sensitive information to bypass secure boot protections is not discarded. |
Affected by 0 other vulnerabilities. |
|
VCID-qdpn-t7u4-h7c8
Aliases: CVE-2024-45779 |
An integer overflow flaw was found in the BFS file system driver in grub2. When reading a file with an indirect extent map, grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause an integer overflow during the file reading, leading to a heap of bounds read. As a consequence, sensitive data may be leaked, or grub2 will crash. |
Affected by 0 other vulnerabilities. |
|
VCID-qfa6-cdfg-wffs
Aliases: CVE-2025-0622 |
grub2: command/gpg: Use-after-free due to hooks not being removed on module unload |
Affected by 0 other vulnerabilities. |
|
VCID-smxq-995q-rqca
Aliases: CVE-2024-45782 |
A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass. |
Affected by 0 other vulnerabilities. |
|
VCID-suzk-agp2-hqc3
Aliases: CVE-2024-45777 |
A flaw was found in grub2. The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow, leading to a Out-of-bound write. This issue can be leveraged by an attacker to overwrite grub2's sensitive heap data, eventually leading to the circumvention of secure boot protections. |
Affected by 0 other vulnerabilities. |
|
VCID-ubvn-99dq-aaam
Aliases: CVE-2021-3981 |
A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-ue6k-w2p8-uyeb
Aliases: CVE-2024-45776 |
When reading the language .mo file in grub_mofile_open(), grub2 fails to verify an integer overflow when allocating its internal buffer. A crafted .mo file may lead the buffer size calculation to overflow, leading to out-of-bound reads and writes. This flaw allows an attacker to leak sensitive data or overwrite critical data, possibly circumventing secure boot protections. |
Affected by 0 other vulnerabilities. |
|
VCID-zgpm-nx21-7bb4
Aliases: CVE-2024-45775 |
A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-3c59-utt9-aaag | An out-of-bounds read flaw was found on grub2's NTFS filesystem driver. This issue may allow a physically present attacker to present a specially crafted NTFS file system image to read arbitrary memory locations. A successful attack allows sensitive data cached in memory or EFI variable values to be leaked, presenting a high Confidentiality risk. |
CVE-2023-4693
|
| VCID-5dza-1mxg-aaaf | A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism. |
CVE-2022-2601
|
| VCID-pun4-pr3v-aaaf | An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved. |
CVE-2023-4692
|
| VCID-ubvn-99dq-aaam | A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released. |
CVE-2021-3981
|
| VCID-ymcd-vs51-aaaa | When rendering certain unicode sequences, grub2's font code doesn't proper validate if the informed glyph's width and height is constrained within bitmap size. As consequence an attacker can craft an input which will lead to a out-of-bounds write into grub2's heap, leading to memory corruption and availability issues. Although complex, arbitrary code execution could not be discarded. |
CVE-2022-3775
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-06-22T09:34:10.411654+00:00 | Debian Importer | Affected by | VCID-zgpm-nx21-7bb4 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-22T08:53:51.272219+00:00 | Debian Importer | Affected by | VCID-8vm3-vfkx-x3ay | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-22T05:06:32.710119+00:00 | Debian Importer | Affected by | VCID-5msw-szj7-efg6 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-22T03:01:55.179848+00:00 | Debian Importer | Affected by | VCID-qdpn-t7u4-h7c8 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T20:24:03.499873+00:00 | Debian Importer | Affected by | VCID-ue6k-w2p8-uyeb | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T17:36:08.886145+00:00 | Debian Importer | Affected by | VCID-5a9t-t1gk-j7ba | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T15:11:50.187119+00:00 | Debian Importer | Affected by | VCID-5v25-3fq8-hbh7 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T13:55:32.243593+00:00 | Debian Importer | Affected by | VCID-c63e-ytnu-hqcn | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T10:36:42.923450+00:00 | Debian Importer | Affected by | VCID-smxq-995q-rqca | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T10:31:46.523755+00:00 | Debian Importer | Affected by | VCID-q4z6-cp3e-tfg4 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T10:06:06.711784+00:00 | Debian Importer | Affected by | VCID-suzk-agp2-hqc3 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T10:03:38.709608+00:00 | Debian Importer | Affected by | VCID-f7zs-5hu5-7kgq | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T07:02:16.487718+00:00 | Debian Importer | Affected by | VCID-3hgd-6nhb-qbfu | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T06:45:15.862770+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.1.3 |
| 2025-06-21T06:44:24.679068+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.1.3 |
| 2025-06-21T06:27:34.194454+00:00 | Debian Importer | Affected by | VCID-3y7s-y777-9bce | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-21T02:39:16.918787+00:00 | Debian Importer | Affected by | VCID-mfx5-q1cr-rbgb | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T23:49:37.265899+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T23:34:41.538285+00:00 | Debian Importer | Affected by | VCID-qfa6-cdfg-wffs | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T22:52:05.607808+00:00 | Debian Importer | Affected by | VCID-3eq9-kvj5-jya2 | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T22:49:15.425243+00:00 | Debian Importer | Affected by | VCID-1n1m-w2fg-bqha | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T22:31:43.401612+00:00 | Debian Importer | Affected by | VCID-m97u-13fq-jfbw | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T22:06:57.852836+00:00 | Debian Importer | Affected by | VCID-g8dt-5s5d-2kaa | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-20T21:05:02.896172+00:00 | Debian Importer | Affected by | VCID-5mbv-3pzx-9fdf | https://security-tracker.debian.org/tracker/data/json | 36.1.3 |
| 2025-06-08T12:49:41.446697+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T12:33:56.778737+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T11:57:44.942479+00:00 | Debian Oval Importer | Fixing | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.1.0 |
| 2025-06-08T00:24:45.723966+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.1.0 |
| 2025-06-08T00:23:54.683098+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.1.0 |
| 2025-04-12T19:21:58.910329+00:00 | Debian Oval Importer | Fixing | VCID-pun4-pr3v-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:36:39.847376+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T18:20:25.267002+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-12T17:42:57.795624+00:00 | Debian Oval Importer | Fixing | VCID-3c59-utt9-aaag | https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 | 36.0.0 |
| 2025-04-07T22:57:04.315238+00:00 | Debian Oval Importer | Fixing | VCID-5dza-1mxg-aaaf | None | 36.0.0 |
| 2025-04-07T22:56:11.515588+00:00 | Debian Oval Importer | Fixing | VCID-ymcd-vs51-aaaa | None | 36.0.0 |
| 2025-04-07T10:30:03.142540+00:00 | Debian Importer | Affected by | VCID-8vm3-vfkx-x3ay | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-07T09:17:48.407968+00:00 | Debian Importer | Affected by | VCID-c63e-ytnu-hqcn | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-07T05:28:00.761123+00:00 | Debian Importer | Affected by | VCID-ht6b-33up-4qfv | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-07T04:34:06.270065+00:00 | Debian Importer | Affected by | VCID-3y7s-y777-9bce | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-07T03:50:56.867740+00:00 | Debian Importer | Affected by | VCID-f7zs-5hu5-7kgq | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T17:37:51.174027+00:00 | Debian Importer | Affected by | VCID-5v25-3fq8-hbh7 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T15:46:32.472443+00:00 | Debian Importer | Affected by | VCID-5msw-szj7-efg6 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T14:03:12.871284+00:00 | Debian Importer | Affected by | VCID-q4z6-cp3e-tfg4 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T08:51:04.386902+00:00 | Debian Importer | Affected by | VCID-5mbv-3pzx-9fdf | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T08:27:20.711349+00:00 | Debian Importer | Affected by | VCID-qdpn-t7u4-h7c8 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T07:53:52.432849+00:00 | Debian Importer | Affected by | VCID-qfa6-cdfg-wffs | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T04:57:03.631845+00:00 | Debian Importer | Affected by | VCID-ue6k-w2p8-uyeb | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-06T02:58:17.141379+00:00 | Debian Importer | Affected by | VCID-zgpm-nx21-7bb4 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T17:50:12.559064+00:00 | Debian Importer | Affected by | VCID-5a9t-t1gk-j7ba | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T16:02:46.564309+00:00 | Debian Importer | Affected by | VCID-smxq-995q-rqca | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T09:35:39.242570+00:00 | Debian Importer | Affected by | VCID-mfx5-q1cr-rbgb | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T07:23:07.558160+00:00 | Debian Importer | Affected by | VCID-suzk-agp2-hqc3 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-05T04:18:19.529240+00:00 | Debian Importer | Affected by | VCID-3hgd-6nhb-qbfu | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T02:31:06.108608+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T01:31:03.404823+00:00 | Debian Importer | Affected by | VCID-3eq9-kvj5-jya2 | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T01:28:29.814140+00:00 | Debian Importer | Affected by | VCID-1n1m-w2fg-bqha | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T01:10:38.890197+00:00 | Debian Importer | Affected by | VCID-m97u-13fq-jfbw | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-04-04T00:45:18.113874+00:00 | Debian Importer | Affected by | VCID-g8dt-5s5d-2kaa | https://security-tracker.debian.org/tracker/data/json | 36.0.0 |
| 2025-02-20T05:32:23.042162+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 35.1.0 |
| 2024-11-22T23:30:04.118796+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 35.0.0 |
| 2024-10-09T21:50:02.121324+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.2 |
| 2024-09-19T05:49:17.575061+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.1 |
| 2024-04-25T04:13:20.118106+00:00 | Debian Importer | Affected by | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc4 |
| 2024-01-11T05:41:18.849400+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc2 |
| 2024-01-11T05:41:03.826685+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 34.0.0rc2 |
| 2024-01-04T16:57:42.218248+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | https://security-tracker.debian.org/tracker/data/json | 34.0.0rc1 |
| 2024-01-04T16:57:28.494367+00:00 | Debian Importer | Fixing | VCID-ubvn-99dq-aaam | None | 34.0.0rc1 |