vulnerability
Arch Linux: Arbitrary code execution (CVE-2020-25647)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:L/AC:L/Au:N/C:C/I:C/A:C) | Mar 3, 2021 | Jul 11, 2025 | Mar 25, 2026 |
Severity
7
CVSS
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Published
Mar 3, 2021
Added
Jul 11, 2025
Modified
Mar 25, 2026
Description
grub_usb_device_initialize() is called to handle USB device initialization. It reads out the descriptors it needs from the USB device and uses that data to fill in some USB data structures. grub_usb_device_initialize() performs very little bounds checking and simply assumes the USB device provides sane values. This behavior can trigger memory corruption. If properly exploited, this would lead to arbitrary code execution allowing the attacker to bypass the Secure Boot mechanism.
Solution
arch-linux-upgrade-latest
References
- CVE-2020-25647
- https://attackerkb.com/topics/CVE-2020-25647
- https://bugzilla.redhat.com/show_bug.cgi?id=1886936
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2020-18312
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZWZ36QK4IKU6MWDWNOOWKPH3WXZBHT2R/
- https://security.archlinux.org/ASA-202106-43
- https://security.gentoo.org/glsa/202104-05
- https://security.netapp.com/advisory/ntap-20220325-0001/
- CWE-787
- EUVD-EUVD-2020-18312
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.