CVE-2025-1125
Published: 03 March 2025
Description
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
Security Summary
CVE-2025-1125 affects GRUB's HFS filesystem module, where user-controlled parameters from HFS filesystem metadata are used to calculate internal buffer sizes without proper integer overflow checks. A maliciously crafted HFS filesystem can trigger overflows in these calculations, resulting in a grub_malloc() allocation smaller than expected. This leads to a buffer overflow in the hfsplus_open_compressed_real() function, corrupting GRUB's internal critical data structures.
The vulnerability has a CVSS v3.1 score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-787 (Out-of-bounds Write). Exploitation requires local access with low complexity and no privileges, but user interaction is needed, such as tricking a user into loading or booting from a malicious HFS filesystem image via GRUB. Successful exploitation can enable arbitrary code execution, bypassing Secure Boot protections.
Advisories and discussions on mitigation are provided by Red Hat at https://access.redhat.com/security/cve/CVE-2025-1125, Red Hat Bugzilla at https://bugzilla.redhat.com/show_bug.cgi?id=2346138, and the GRUB development mailing list at https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The integer overflow in GRUB's HFS module enables heap out-of-bounds write, leading to arbitrary code execution during boot and bypassing Secure Boot. This facilitates bootkit deployment (T1067), exploitation for privilege escalation (T1068) and defense evasion (T1211), and subversion of trust controls like Secure Boot (T1553).