The discovery of 20 flaws in open-source bootloaders highlights systemic risks for Secure Boot and IoT devices.
Microsoft has announced the discovery of 20 critical vulnerabilities in three of the most widely used bootloaders in the open-source ecosystem: GRUB2, U-Boot, and Barebox. This finding was made possible through the use of Security Copilot, its artificial intelligence platform aimed at accelerating the detection of complex vulnerabilities in extensive codebases.
GRUB2 —the default bootloader in most modern Linux distributions— has been the most impacted, with 11 vulnerabilities that include buffer overflows, integer errors, and side-channel attacks in cryptographic functions. U-Boot and Barebox, widely used in embedded systems and IoT devices, account for 9 additional flaws, also linked to errors in handling file systems and symbolic links.
Some of the most notable flaws include:
- CVE-2025-0678: Buffer overflow in SquashFS due to an integer overflow.
- CVE-2024-56738: Side-channel vulnerability due to non-constant cryptographic comparison.
- CVE-2025-1125: Buffer overflow when opening compressed files in HFS.
- CVE-2025-0690: Integer overflow in keyboard read commands.
- CVE-2025-26721 to CVE-2025-26729: Various flaws in U-Boot and Barebox in handling EXT4, CramFS, JFFS2, and EroFS.
While many of these vulnerabilities require physical access to the device, some —particularly those in GRUB2— could potentially be exploited to bypass Secure Boot, allowing for the installation of persistent bootkits and low-level malware with total privileges, even after operating system reinstalls. This poses a systemic risk in environments where boot security is critical, such as servers, data centers, industrial infrastructures, or connected devices.
An AI for bug hunters
The detection of these flaws did not occur through traditional methods. Microsoft employed Security Copilot, its AI copilot specifically trained for offensive and defensive security tasks, to automatically analyze sensitive parts of the GRUB2 source code. The AI was able to identify functions prone to errors (such as file system parsers or cryptographic functions), suggesting entry points and mitigations for each case.
This automated process allowed for a one-week reduction in the usual timeframe required for such audits, according to the company.
Coordinated response from the open-source community
Following the identification, Microsoft worked directly with the maintainers of the affected projects to conduct a responsible disclosure. Security updates have already been released by the teams of GRUB2 (February 18, 2025), and U-Boot and Barebox (February 19, 2025). In the case of GRUB2, entries in the SBAT (Secure Boot Advanced Targeting) and DBX databases have been updated to strengthen the management of revocation of compromised components.
Moreover, potentially dangerous modules have been disabled when Secure Boot is enabled, and cryptographic and memory controls in the bootloader logic have been reinforced.
A turning point in boot security?
Microsoft’s report highlights a deeper issue: the recycling of vulnerable code among different open-source bootloaders, a practice that could amplify risk on a global scale. The lack of modern security features in these components —such as ASLR, stack canaries, or NX protection— combined with the use of memory-unsafe languages like C, exacerbates the potential impact of these flaws.
This episode underscores the importance of incorporating artificial intelligence tools into security and maintenance workflows for critical projects, especially those with limited resources.
Source: Microsoft Security Blog and Security News