CVE-2020-15705 | GRUB2: avoid loading unsigned kernels when GRUB is booted directly under secureboot without shim

GRUB2 fails to validate kernel signature when booted directly without shim, allowing secure boot to be bypassed. This only affects systems where the kernel signing certificate has been imported directly into the secure boot database and the GRUB image is booted directly without the use of shim. This issue affects GRUB2 version 2.04 and prior versions.

Published: 2020-07-29 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-15705 is rated Low Risk (28.6/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.03%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2020-15705

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-11-21 0.10% 0.03% -0.07%
2 2025-11-18 0.02% 0.10% +0.08%
3 2025-03-17 0.02%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-15705

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
6.4 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 0.5 5.9 [email protected]
6.4 3.1 MEDIUM
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 0.5 5.9 [email protected]
4.4 2.0 MEDIUM
AV:L/AC:M/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:L)
Requires local access to the target system.
Access complexity (AC:M)
Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 3.4 6.4 [email protected]

Weakness enumeration for CVE-2020-15705

OS Trackers for CVE-2020-15705

vendor priority summary link
alpine medium CVE-2020-15705: 1 source package rows (grub); 7 state rows across 7 repos (3.17-main, 3.18-main, 3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 7, open 0. https://security.alpinelinux.org/vuln/CVE-2020-15705
debian unimportant CVE-2020-15705 unimportant priority: Debian including 1 source packages (grub2), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2020-15705
gentoo normal CVE-2020-15705: 1 GLSA(s) (202104-05), 1 atom(s) (sys-devel/grub); latest impact normal. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2020-15705
redhat medium https://access.redhat.com/security/cve/CVE-2020-15705
suse high CVE-2020-15705 severity important: SUSE including 433 source package names (amazon/suse-sles-15-sp1-chost-byos-v20210304-hvm-ssd-x86_64, amazon/suse-sles-15-sp1-chost-byos-v20220127-hvm-ssd-x86_64, …), 660 product×package rows across 75 product lines (HPE Helion OpenStack 8, Image SLES12-SP5-Azure-BYOS, … (75 product lines)): Fixed 503, Known Affected 157. https://www.suse.com/security/cve/CVE-2020-15705/
ubuntu medium CVE-2020-15705 medium priority: Ubuntu including 3 source packages (grub2, grub2-signed, grub2-unsigned), 44 status rows across 16 suites (bionic, eoan, focal, groovy, hirsute, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 30, released 8, needs-triage 3, DNE 1, ignored 1, needed 1. https://ubuntu.com/security/CVE-2020-15705

Affected software / configurations for CVE-2020-15705

Vendor Product Version Raw CPE
gnu grub2 <= 2.04 cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*
redhat enterprise_linux_atomic_host cpe:2.3:a:redhat:enterprise_linux_atomic_host:-:*:*:*:*:*:*:*
redhat openshift_container_platform 4.0 cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
canonical ubuntu_linux 14.04 cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
canonical ubuntu_linux 16.04 cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 18.04 cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
canonical ubuntu_linux 20.04 cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
debian debian_linux 10.0 cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
opensuse leap 15.1 cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
opensuse leap 15.2 cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
redhat enterprise_linux 7.0 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
redhat enterprise_linux 8.0 cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
suse suse_linux_enterprise_server 11 cpe:2.3:o:suse:suse_linux_enterprise_server:11:*:*:*:*:*:*:*
suse suse_linux_enterprise_server 12 cpe:2.3:o:suse:suse_linux_enterprise_server:12:*:*:*:*:*:*:*
suse suse_linux_enterprise_server 15 cpe:2.3:o:suse:suse_linux_enterprise_server:15:*:*:*:*:*:*:*
microsoft windows_10 cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*
microsoft windows_10 1607 cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*
microsoft windows_10 1709 cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*
microsoft windows_10 1803 cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*
microsoft windows_10 1809 cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*
microsoft windows_10 1903 cpe:2.3:o:microsoft:windows_10:1903:*:*:*:*:*:*:*
microsoft windows_10 1909 cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*
microsoft windows_10 2004 cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*
microsoft windows_8.1 cpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
microsoft windows_rt_8.1 cpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
microsoft windows_server_2012 cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
microsoft windows_server_2012 r2 cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
microsoft windows_server_2016 cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
microsoft windows_server_2016 1903 cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
microsoft windows_server_2016 1909 cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
microsoft windows_server_2016 2004 cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
microsoft windows_server_2019 cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*

References for CVE-2020-15705

URL Tags
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00067.html Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00069.html Mailing List Third Party Advisory
http://ubuntu.com/security/notices/USN-4432-1 Third Party Advisory
http://www.openwall.com/lists/oss-security/2020/07/29/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/03/02/3 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/2 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/17/4 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/09/21/1 Mailing List Third Party Advisory
https://access.redhat.com/security/vulnerabilities/grub2bootloader Third Party Advisory
https://lists.gnu.org/archive/html/grub-devel/2020-07/msg00034.html Issue Tracking Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200011 Patch Third Party Advisory Vendor Advisory
https://security.gentoo.org/glsa/202104-05 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200731-0008/ Third Party Advisory
https://usn.ubuntu.com/4432-1/ Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass Third Party Advisory
https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot Third Party Advisory
https://www.eclypsium.com/2020/07/29/theres-a-hole-in-the-boot/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2020/07/29/3 Mailing List Third Party Advisory
https://www.suse.com/c/suse-addresses-grub2-secure-boot-issue/ Third Party Advisory
https://www.suse.com/support/kb/doc/?id=000019673 Third Party Advisory
cvelogic Threat Intelligence