CVE-2024-45780: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability (CVE-2024-45780) was discovered in GRUB2's tar file handling mechanism. The flaw was found in February 2025 and affects GRUB2 versions up to 2.12. The vulnerability stems from GRUB2's failure to properly verify buffer allocation against integer overflows when processing tar files (GRUB Devel, NVD).

The vulnerability occurs when GRUB2 allocates an internal buffer for file names while reading tar files. The allocation process fails to properly verify against possible integer overflows, which can lead to a heap out-of-bounds write condition. The vulnerability has been assigned a CVSS v3.1 base score of 6.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high privileges needed (NVD).

The vulnerability's exploitation can lead to a heap out-of-bounds write, which could allow an attacker to circumvent secure boot protections. This poses a significant security risk as it could potentially compromise the integrity of the boot process and bypass security mechanisms designed to protect the system during boot (GRUB Devel, Ubuntu Security).

The vulnerability has been fixed in GRUB2 version 2.12-7 and later. Users are advised to update to the patched version. Full mitigation requires updated shim with latest SBAT (Secure Boot Advanced Targeting) data provided by distributions and vendors. The revocation of broken artifacts will be done with SBAT only, and UEFI revocation list (dbx) will not be used (GRUB Devel).