Additional Information Regarding the "BootHole" (GRUB) Vulnerability

Summary: Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

Affected Platform: Dell Client Consumer and Commercial platforms


Problem:

Dell Client Consumer and Commercial platforms include a UEFI Secure Boot certificate authority that would permit booting a vulnerable GRUB bootloader even if Secure Boot is enabled. This could allow the use of a malicious GRUB configuration file (grub.cfg) using a physical access to the platform, or OS administrator privileges. This could allow attackers to run malware and alter the boot process, among other malicious actions.


Reference:

Operating System provider’s advisories can be found on the following Dell Security Notice https://www.dell.com/support/article/SLN322283.


Frequently Asked Questions:


Q: Which models are affected?

A: Dell Client and Commercial platforms that have UEFI Secure Boot enabled are impacted. Dell Technologies recommends that customers review their Operating System provider’s advisories for more information, including appropriate identification and additional mitigation measures.

Customer should follow security best practices and prevent unauthorized physical access to devices. Customer can also take the following measures to further protect themselves from physical attacks.

  1. Set BIOS Admin Password to prevent alteration of the BIOS Setup configuration, such as the boot device, and Secure Boot mode.
  2. Configure boot settings to only allow booting to the internal boot device.


Q: I use a Windows Operating System. Am I impacted?

A: Yes. Windows Operating Systems are impacted. A malicious actor that has physical access to the platform, or OS administrator privileges, could load a vulnerable GRUB UEFI binary and boot time malware.


Q: What do I must do to address this vulnerability?

A: There are multiple components that may need to be updated:  

Applicable to Windows and Linux based Operating Systems:

UEFI Forbidden signatures databases (dbx) update

A signed revocation database update has been made available by Microsoft that prevents systems from booting vulnerable GRUB binaries.

Installing this update prevents existing vulnerable Linux OS installation and recovery media from booting when UEFI Secure Boot is enabled.

Applicable to Linux Operating Systems:

GRUB Patch

As part of Linux Operating System vendors' advisories, they are rolling out updated GRUB binaries.


Q: I applied the dbx updates, and I can no longer boot Linux OS installation media. What do I do?

A: Customers who experience issues after updating dbx can revert to the dbx update by doing the following:

  1. Enter BIOS Setup (F2).
  2. Navigate to the Expert Key Management screen.
  3. Enable Custom Mode.
  4. Apply Changes to Save Changes.
  5. Exit BIOS Setup to reboot the system.
  6. Re-enter BIOS Setup (F2).
  7. Navigate to the Expert Key Management screen.
  8. Disable Custom Mode.
  9. Apply Changes to Save Changes.
  10. Exit BIOS Setup to reboot the system


This reverts to your factory-default dbx database.

Warning: Your system is no longer patched, and is vulnerable to this disclosure. Please refer to Operating System provider’s advisories for updates.

Cause

N/A

Resolution

N/A

Article Properties
Article Number: 000131748
Article Type: Solution
Last Modified: 21 Aug 2025
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.