An inside look at CVE-2020-10713, a.k.a. the GRUB2 "BootHole" | Linux Today

An inside look at CVE-2020-10713, a.k.a. the GRUB2 “BootHole”

Written By
DK
Daniel Kiper
Sep 24, 2020

Scrutiny of the GRUB2 source code led to the discovery of the BootHole vulnerability which can be used to boot untrusted operating systems.

In early April 2020, we, the GRUB2 maintainers, were approached by security researchers from Eclypsium. The researchers had discovered an issue with a CVSS Base Score of 8.2 (“High”) in the GRUB2 script parser. This vulnerability could be used to bypass UEFI Secure Boot and to load an unsigned operating system. Our analysis of this vulnerability revealed that fixes were required in multiple layers of the boot time chain of trust. In addition to the GRUB2 fixes, we would also require fixes to the shim layer, the Linux kernel, fwupd and the entire UEFI Secure Boot signing process. OS and hardware vendors would need to revoke the security certificates of older, unpatched programs.

DK

Daniel Kiper

Linux Today Logo

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.