The Red Hat grub2 packages contain multiple security vulnerabilities involving heap out-of-bounds writes and reads, integer overflows, use-after-free, and missing allocation checks. These vulnerabilities affect different modules including JPEG parsing (CVE-2024-45774), command extensions (CVE-2024-45775), gettext (CVE-2024-45776), UFS and HFS+ file systems (CVE-2024-45781, CVE-2024-45783, CVE-2025-0677), GPG command (CVE-2025-0622), and general read operations (CVE-2025-0690). The issues could lead to memory corruption and potentially impact system stability or security. Red Hat has released updated grub2 packages for Red Hat Enterprise Linux 9 to address these vulnerabilities.

The identified vulnerabilities can lead to heap out-of-bounds writes and reads, integer overflows, use-after-free conditions, and double decrement of reference counts within the grub2 boot loader. These memory corruption issues may cause system instability, crashes, or potentially allow an attacker to execute arbitrary code or escalate privileges during the boot process. However, no known exploits are reported in the wild at this time. The overall security impact is rated as moderate by Red Hat.

Red Hat has released updated grub2 packages for Red Hat Enterprise Linux 9 that address these vulnerabilities. Users should apply the security update as described in the Red Hat advisory RHSA-2025:6990 and the referenced article https://access.redhat.com/articles/11258. Applying the official update is the recommended remediation. No additional mitigations are specified or required beyond installing the provided patches.