CVE-2025-0686: 
Alma Linux vulnerability analysis and mitigation

A vulnerability (CVE-2025-0686) was discovered in GRUB2's romfs filesystem module. The flaw was disclosed on February 18, 2025, affecting the romfs filesystem handling component. When performing symlink lookups, the module improperly checks for integer overflows when determining internal buffer sizes using filesystem geometry parameters (Debian Tracker, OSS Security).

The vulnerability stems from improper integer overflow checks in the grubromfsreadsymlink() function. When processing user-controlled parameters from filesystem geometry, the module performs a grubmalloc() operation with an incorrectly calculated (smaller) size than required. This leads to out-of-bounds writes during subsequent grubdiskread() function calls. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H (OSS Security).

The vulnerability can be leveraged to corrupt GRUB's internal critical data, potentially resulting in arbitrary code execution. The most severe impact is the possibility of bypassing secure boot protections, compromising the system's boot security (Debian Tracker).

Fixes have been released for affected systems. Debian has addressed the vulnerability in version 2.12-7 of the grub2 package. The fix is available in the sid release, while other versions (bullseye, bookworm, trixie) remain vulnerable and await updates (Debian Tracker).