During the network boot process when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using grub_strcpy() function. During this step it fails to consider the environment variable length when allocating the internal buffer, resulting in a out-of-bounds write. If correctly exploited this issue may result in remote code execution through the same network segment the grub is searching for the boot information, which can be used to by-pass secure boot protections.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2025:2521 https://access.redhat.com/errata/RHSA-2025:2521
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:2653 https://access.redhat.com/errata/RHSA-2025:2653
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2025:2655 https://access.redhat.com/errata/RHSA-2025:2655
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:2675 https://access.redhat.com/errata/RHSA-2025:2675
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:2784 https://access.redhat.com/errata/RHSA-2025:2784
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:2799 https://access.redhat.com/errata/RHSA-2025:2799
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:2867 https://access.redhat.com/errata/RHSA-2025:2867
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2025:2869 https://access.redhat.com/errata/RHSA-2025:2869
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:3367 https://access.redhat.com/errata/RHSA-2025:3367
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:3396 https://access.redhat.com/errata/RHSA-2025:3396
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.17 Via RHSA-2025:3297 https://access.redhat.com/errata/RHSA-2025:3297
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.16 Via RHSA-2025:3301 https://access.redhat.com/errata/RHSA-2025:3301
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.18 Via RHSA-2025:3577 https://access.redhat.com/errata/RHSA-2025:3577
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2025:3573 https://access.redhat.com/errata/RHSA-2025:3573