CVE-2025-0678: 
CBL Mariner vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-0678) was discovered in GRUB2's squash4 filesystem module. The flaw was disclosed on February 18, 2025, affecting GRUB2 versions up to 2.12. The vulnerability stems from improper integer overflow checks when processing filesystem geometry parameters (NVD, Openwall).

The vulnerability occurs when GRUB2's squash4 filesystem module processes user-controlled parameters from filesystem geometry to determine internal buffer sizes. Due to improper integer overflow checks, a maliciously crafted filesystem can cause buffer size calculations to overflow, resulting in grub_malloc() operations with smaller-than-expected sizes. This leads to heap-based out-of-bounds writes during data reading through the direct_read() function. The vulnerability has received a CVSS v3.1 base score of 7.8 (HIGH) from NVD and 6.4 (MEDIUM) from Red Hat (NVD).

The vulnerability can be exploited to corrupt GRUB's internal critical data, potentially leading to arbitrary code execution and bypass of secure boot protections. This poses a significant security risk to affected systems, particularly in environments where secure boot is relied upon for system integrity (NVD, Debian).

A fix has been released in GRUB2 version 2.12-7 for Debian systems. Red Hat Enterprise Linux 7.0, 8.0, 9.0, and OpenShift Container Platform 4.0 are affected and require updates. System administrators are advised to apply the available patches as soon as possible (Debian).