BootHole is a newly discovered security vulnerability that affects Linux systems using UEFI Secure Boot feature. The vulnerability allows full root access once exploited in the host system.

Patches across many different Linux distributions were shipped before the weekend to fix the security issue. However, after applying the patches and rebooting their systems, many users are reporting that they are unable to boot their systems at all.

Various Linux distributions were affected differently by the update due to the nature of their components. Some of them failed only with UEFI Secure Boot systems, where as others failed only with legacy BIOS systems.

boothole 5
BootHole patch issue after reboot, image by Nathaniel Graham who’s reporting the bug on openSUSE Tumbleweed

However, the issue is more critical, because it also affects cloud/DevOps systems such as Hyper-V, Amazon EC2, Microsoft Azure and most virtual machine providers.

The status of the current scene is as follows:

  • Red Hat/CentOS/Fedora: All affected, both UEFI Secure Boot and legacy. Red Hat released an update which fixes the issue, however, they still classify it as “unverified” so more testing is needed to make sure it works. It is worthy to note that Red Hat was the first to catch the issue, but the last to patch it,
  • Ubuntu/Debian: Many users are reporting that the bug only affects the BIOS-powered boot systems, and not these running UEFI Secure boot. However, a fix was released anyway and users can safely upgrade.
  • openSUSE/SUSE: The original patch caused no regression at all for most users. However, some users reported that the update caused a regression for their systems, but that is still yet to be checked. SUSE hasn’t released an update to fix a regression (Didn’t even mention discovering it).
  • Gentoo/Arch: No reports were sent about a regression, users can safely upgrade.

Honestly speaking, this is a major fail for most Linux distributions, because had this happen on Windows, Linux users would have memed Microsoft for years to come about it. A deep look is needed on why no QA team across all Linux distributions was able to catch the issue before releasing the upgrade for the world, especially enterprise distributions like Red Hat.

One can also be more concerned about novice users, who don’t know how to downgrade packages or fix the issue once it happens on their systems.

Useful Services & Offers

Check the following list of services and tools we use in our day-to-day work, perhaps they can be beneficial to you:


1 Comment
Inline Feedbacks
View all comments
Bill Gates

The important thing is to never blame DevOps. Sure, a turd came out the end of the pipeline that real testing by users would have caught but you still can\’t blame the morons who make me do a terrabyte of needless updates every week.


Useful Services



Become a Supporter

For the price of one cup of coffee per month:

  • Support the FOSS Post to produce more content.
  • Get a special account on our website.
  • Remove all the ads you are seeing (including this one!).
  • Help us get to our goal of 100 supporters, to start many initiatives.

Opinions Column

Recent Comments