Vulnerability DatabaseCVE-2023-4001

CVE-2023-4001:
Alma Linux vulnerability analysis and mitigation

Overview

CVE-2023-4001 is an authentication bypass vulnerability discovered in GRUB (GRand Unified Bootloader) that affects the password protection feature. The vulnerability was discovered on April 3, 2023, and publicly disclosed on January 15, 2024. The flaw affects Red Hat's downstream version of GRUB2 and does not impact the upstream package. The vulnerability allows an attacker with physical access to bypass GRUB's password protection on UEFI-based systems (DFIR Blog).

Technical details

The vulnerability exists in how GRUB uses the UUID of a device to search for the configuration file containing the password hash. On UEFI systems, the GRUB configuration is split between two files: one in the EFI System Partition and the main configuration file in the /boot volume. The vulnerability can be exploited when an attacker attaches an external drive (like a USB stick) containing a file system with a duplicate UUID matching the /boot file system. Due to how some UEFI systems enumerate removable drives before non-removable ones, GRUB may pick the wrong device, resulting in authentication bypass. The vulnerability has been assigned a CVSS v3.1 base score of 6.8 (Medium) with vector: AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, Red Hat).

Impact

When successfully exploited, this vulnerability allows an attacker with physical access to bypass the GRUB password protection feature, potentially enabling them to modify boot parameters, boot unauthorized operating systems, or gain elevated privileges in the installed operating system. In some uncommon setups, the attack can be performed with physical access alone, without requiring unprivileged user access (DFIR Blog).

Mitigation and workarounds

Red Hat has implemented a fix that adds a new argument to the 'search' command, which restricts the UUID scan to the block device used to launch the GRUB boot manager. This ensures that the /boot volume must reside on the same drive as the EFI System Partition. Users should remove the stub grub.cfg in their ESP by executing 'rm /boot/efi/EFI/redhat/grub.cfg' before applying the update, so it is regenerated with the correct search flags (Red Hat Bugzilla, DFIR Blog).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

6.8

Score

Published January 15, 2024

Severity MEDIUM

CNA Score 6.8

Affected Technologies

Alma Linux
Linux Red Hat

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 10.7

Exploitation Probability (EPSS) N/A

Affected packages and libraries

grub2-efi-aa64-ec2
grub2-efi-x64-cdboot

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jan 28, 2024
Photon Security Advisory
- Photon 4.0 Severity MEDIUMHas FixAdded at: Sep 03, 2025
Red Hat Errata
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jan 11, 2024

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Alma Linux vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-43541	MEDIUM	4.3	Apple Safari	webkit2gtk4-devel	No	Yes	Dec 17, 2025
CVE-2025-43536	MEDIUM	4.3	Apple Safari	webkit2gtk3-devel	No	Yes	Dec 17, 2025
CVE-2025-43535	MEDIUM	4.3	Apple Safari	webkitgtk	No	Yes	Dec 17, 2025
CVE-2025-43531	LOW	3.1	Apple Safari	webkit2gtk3-minibrowser	No	Yes	Dec 17, 2025
CVE-2025-61594	LOW	2.7	Ruby	rubygem-rake	No	Yes	Dec 30, 2025