
The GRUB bootloader has received 73 patches addressing serious security vulnerabilities, yet an official updated release has not been published to date. Although the fixes were made publicly available as early as February and have already been integrated into the project’s Git repository, no formal release has followed. The most recent stable version, GRUB 2.12, was issued a year and a half ago.
Wider awareness of these critical patches only emerged recently with the release of the sixth release candidate of GNU Boot 0.1. This release drew attention to a multitude of potentially dangerous vulnerabilities, some of which have been assigned CVE identifiers. In response, GNU Boot developers updated the bundled GRUB version to mitigate these threats.
One of the most severe vulnerabilities involves user-supplied images that replace the standard GRUB logo. If such an image is deliberately crafted by a malicious actor, it could be exploited to gain full control over the machine. Similar issues have previously been observed in open-source UEFI implementations. Experts stress the critical importance of using only trusted images when configuring bootloaders, as flaws in image processing can compromise the entire system.
Users employing secure boot with GPG signatures or GRUB passwords in conjunction with full disk encryption are also at risk. Certain vulnerabilities could allow adversaries to bypass these security measures. Moreover, serious flaws in filesystem handling were uncovered: when booting from a USB device, GRUB could automatically read another connected flash drive containing a filesystem specifically engineered for exploitation—enabling malicious code to run even before the operating system loads.
The comprehensive list of flaws includes buffer overflows, integer-related errors, and other programming oversights. In Secure Boot mode, the dump
command—previously usable to circumvent security—has now been disabled.
On a positive note, most major Linux distributions have already adopted or plan to adopt these fixes, significantly reducing the risk of large-scale exploitation. However, not all distributions are willing to rely on unstable GRUB versions from the Git repository. Distributions such as Trisquel, Parabola, and Guix—adhering strictly to a 100% free software policy—have expressed reservations about adopting unsigned releases. Parabola is currently considering the creation of a separate grub-git
package, free from known vulnerabilities, to be maintained in parallel with the existing GRUB package.
Community developers hope that the current situation will prompt the GRUB project to enhance its release processes and adopt a more responsive approach to security issues.