CVE-2023-4692 – An out-of-bounds write vulnerability in grub2's... (How to Fix)

Q: What is the severity of CVE-2023-4692?

CVE-2023-4692 has a CVSS score of 7.5 (HIGH). An out-of-bounds write vulnerability in grub2's NTFS filesystem driver allows attackers to corrupt heap metadata by presenting a specially crafted NTFS filesystem image. This can lead to arbitrary code execution and secure boot bypass, affecting systems using grub2 with NTFS support. The vulnerability impacts systems with grub2 bootloader that process NTFS filesystems during boot.

📋 TL;DR

An out-of-bounds write vulnerability in grub2's NTFS filesystem driver allows attackers to corrupt heap metadata by presenting a specially crafted NTFS filesystem image. This can lead to arbitrary code execution and secure boot bypass, affecting systems using grub2 with NTFS support. The vulnerability impacts systems with grub2 bootloader that process NTFS filesystems during boot.

💻 Affected Systems

Products:

grub2

Versions: grub2 versions with NTFS support (specific affected versions in Red Hat advisories)

Operating Systems: Linux distributions using grub2 bootloader

Default Config Vulnerable: ⚠️ Yes

Notes: Only exploitable if system uses grub2 with NTFS filesystem support and processes NTFS images during boot.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary code execution during boot, secure boot protection bypass, and potential UEFI firmware corruption leading to persistent compromise.

🟠

Likely Case

Local privilege escalation and secure boot bypass on systems where attacker can present malicious NTFS filesystem during boot process.

🟢

If Mitigated

Limited impact if secure boot is properly configured and attacker lacks physical or administrative access to modify boot files.

🌐 Internet-Facing: LOW - Requires local access or ability to modify boot files, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Requires local access to system or ability to modify boot configuration/files, but can lead to significant compromise if exploited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to present malicious NTFS filesystem during boot, typically requiring local access or ability to modify boot configuration.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor-specific updates (e.g., Red Hat RHSA-2024:2456, RHSA-2024:3184)

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-4692

Restart Required: Yes

Instructions:

1. Update grub2 package using system package manager. 2. Update grub configuration: 'grub2-mkconfig -o /boot/grub2/grub.cfg'. 3. Reboot system to apply changes.

🔧 Temporary Workarounds

Disable NTFS support in grub

linux

Remove NTFS module from grub configuration to prevent processing of NTFS filesystems during boot

echo 'GRUB_DISABLE_NTFS="true"' >> /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg

Secure boot enforcement

linux

Ensure secure boot is enabled and properly configured to prevent unauthorized boot modifications

mokutil --sb-state

🧯 If You Can't Patch

Restrict physical and administrative access to boot configuration and files
Implement strict access controls on bootloader configuration and UEFI/BIOS settings

🔍 How to Verify

Check if Vulnerable:

Check grub2 version and compare against patched versions in vendor advisories

Check Version:

rpm -q grub2 (RHEL/CentOS) or dpkg -l | grep grub (Debian/Ubuntu)

Verify Fix Applied:

Verify grub2 package version matches patched version from vendor advisory

📡 Detection & Monitoring

Log Indicators:

Unexpected grub configuration changes
Failed secure boot validations
Boot process anomalies

Network Indicators:

Not network exploitable - focus on local system indicators

SIEM Query:

Search for: grub configuration file modifications, secure boot validation failures, unexpected system reboots

📊 Metadata

CVE ID: CVE-2023-4692

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-122

Published: October 25, 2023

Last Updated: November 4, 2025

🔗 References

https://access.redhat.com/errata/RHSA-2024:2456
https://access.redhat.com/errata/RHSA-2024:3184
https://access.redhat.com/security/cve/CVE-2023-4692 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2236613 Issue Tracking,Third Party Advisory
https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/ Exploit,Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html Mailing List
https://seclists.org/oss-sec/2023/q4/37 Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:2456
https://access.redhat.com/errata/RHSA-2024:3184
https://access.redhat.com/security/cve/CVE-2023-4692 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2236613 Issue Tracking,Third Party Advisory
https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/ Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00007.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUU42E7CPYLATXOYVYNW6YTXXULAOV6L/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRJ5UZRXX2KLR4IKBJEQUNGOCXMMDLY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PERFILCHFEUGG3OAMC6W55P6DDIBZK4Q/
https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html Mailing List
https://seclists.org/oss-sec/2023/q4/37 Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202311-14
https://security.netapp.com/advisory/ntap-20231208-0002/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4692, you might also want to check these: