CVE-2025-1118

medium

Description

A flaw was found in grub2. Grub's dump command is not blocked when grub is in lockdown mode, which allows the user to read any memory information, and an attacker may leverage this in order to extract signatures, salts, and other sensitive information from the memory.

References

https://access.redhat.com/errata/RHSA-2025:16154

https://www.bleepingcomputer.com/news/security/microsoft-uses-ai-to-find-flaws-in-grub2-u-boot-barebox-bootloaders/

https://lists.gnu.org/archive/html/grub-devel/2025-02/msg00024.html

https://git.savannah.gnu.org/cgit/grub.git/commit/?id=34824806ac6302f91e8cabaa41308eaced25725f

https://bugzilla.redhat.com/show_bug.cgi?id=2346137

https://access.redhat.com/security/cve/CVE-2025-1118

Details

Source: Mitre, NVD

Published: 2025-02-19

Updated: 2026-03-24

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:L/AC:L/Au:M/C:C/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

EPSS

EPSS: 0.00023