SUSE-SU-2025:20511-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202520511-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20511-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2025:20511-1
Upstream
Related
Published
2025-07-29T08:20:21Z
Modified
2026-03-23T04:50:09.963359Z
Summary
Security update for grub2
Details

This update for grub2 fixes the following issues:

  • CVE-2025-4382: Fixed TPM auto-decryption data exposure (bsc#1242971)

  • Filter out the non-subvolume btrfs mount points when creating the relative path (bsc#1239674)

  • CVE-2024-45781: Fixed ufs strcpy overflow (bsc#1233617)

  • CVE-2024-56737: Fixed heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem (bsc#1234958)
  • CVE-2024-45782: Fixed hfs strcpy overflow (bsc#1233615)
  • CVE-2024-45780: Fixed overflow in tar/cpio(bsc#1233614)
  • CVE-2024-45783: Fixed hfsplus refcount overflow (bsc#1233616)
  • CVE-2025-0624: Fixed out-of-bounds write in grubnetsearchconfigfile() (bsc#1236316)
  • CVE-2024-45774: Fixed heap overflows in JPEG parser (bsc#1233609)
  • CVE-2024-45775: Fixed missing NULL check in extcmd parser (bsc#1233610)
  • CVE-2025-0622: Fixed command/gpg: Use-after-free due to hooks not being removed on module unload (bsc#1236317)
  • CVE-2024-45776: Fixed overflow in .MO file (gettext) handling (bsc#1233612)
  • CVE-2024-45777: Fixed integer overflow in gettext (bsc#1233613)
  • CVE-2025-0690: Fixed integer overflow in read that may lead to out-of-bounds write (bsc#1237012)
  • CVE-2025-1118: Fixed commands/dump: The dump command is not in lockdown when secure boot is enabled(bsc#1237013)
  • CVE-2024-45778: Fixed bfs filesystem not fuzzing stable (bsc#1233606)
  • CVE-2024-45779: Fixed bfs heap overflow (bsc#1233608)
  • CVE-2025-0677: Fixed integer overflow that may lead to heap based out-of-bounds write when handling symlinks in ufs (bsc#1237002)
  • CVE-2025-0684: Fixed reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237008)
  • CVE-2025-0685: Fixed jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237009)
  • CVE-2025-0686: Fixed romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data (bsc#1237010)
  • CVE-2025-0689: Fixed udf: Heap based buffer overflow in grubudfread_block() may lead to arbitrary code execution (bsc#1237011)
  • CVE-2025-1125: Fixed fs/hfs: Interger overflow may lead to heap based out-of-bounds write (bsc#1237014)

  • CVE-2025-0678: Fixed squash4: Integer overflow may lead to heap based out-of-bounds write when reading data (bsc#1237006)

  • Bump upstream SBAT generation to 5 to block older grub2 versions.

  • CVE-2024-49504: Fixed Bypassing TPM-bound disk encryption on SL(E)M encrypted Images (bsc#1229163) (bsc#1229164)

  • Restrict CLI access if the encrypted root device is automatically unlocked by the TPM. LUKS password authentication is required for access to be granted

  • Obsolete, as CLI access is now locked and granted access no longer requires the previous restrictions
References

Affected packages

SUSE:Linux Micro 6.0 / grub2

Package

Name
grub2
Purl
pkg:rpm/suse/grub2&distro=SUSE%20Linux%20Micro%206.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.12~rc1-6.1

Ecosystem specific 

{
    "binaries": [
        {
            "grub2-x86_64-xen": "2.12~rc1-6.1",
            "grub2-i386-pc": "2.12~rc1-6.1",
            "grub2": "2.12~rc1-6.1",
            "grub2-arm64-efi": "2.12~rc1-6.1",
            "grub2-snapper-plugin": "2.12~rc1-6.1",
            "grub2-s390x-emu": "2.12~rc1-6.1",
            "grub2-x86_64-efi": "2.12~rc1-6.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:20511-1.json"