Debian Security Advisory

DSA-4735-1 grub2 -- security update

Date Reported:
29 Jul 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-10713, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-15706, CVE-2020-15707.
More information:

Several vulnerabilities have been discovered in the GRUB2 bootloader.

  • CVE-2020-10713

    A flaw in the grub.cfg parsing code was found allowing to break UEFI Secure Boot and load arbitrary code. Details can be found at

  • CVE-2020-14308

    It was discovered that grub_malloc does not validate the allocation size allowing for arithmetic overflow and subsequently a heap-based buffer overflow.

  • CVE-2020-14309

    An integer overflow in grub_squash_read_symlink may lead to a heap based buffer overflow.

  • CVE-2020-14310

    An integer overflow in read_section_from_string may lead to a heap based buffer overflow.

  • CVE-2020-14311

    An integer overflow in grub_ext2_read_link may lead to a heap-based buffer overflow.

  • CVE-2020-15706

    script: Avoid a use-after-free when redefining a function during execution.

  • CVE-2020-15707

    An integer overflow flaw was found in the initrd size handling.

Further detailed information can be found at

For the stable distribution (buster), these problems have been fixed in version 2.02+dfsg1-20+deb10u1.

We recommend that you upgrade your grub2 packages.

For the detailed security status of grub2 please refer to its security tracker page at: