A significant vulnerability affecting modern Linux distributions has been uncovered, enabling attackers with brief physical access to bypass Secure Boot protections by manipulating the unsigned initramfs component. This flaw centers on how many distributions drop into a debug shell after multiple failed password attempts when trying to decrypt encrypted root partitions. Since initramfs is typically not signed unlike kernel images and modules attackers can exploit this loophole to inject persistent malware without disrupting the signed boot process, effectively maintaining access even after the user inputs correct decryption credentials.

Security researcher demonstrated that attackers could unpack the initramfs using tools like unmkinitramfs, inject malicious hooks, especially within the scripts/local-bottom/ directory, and repack it. These injected scripts execute right after the root partition is decrypted, remounting the file system as read-write and enabling persistent backdoor access. This approach circumvents Secure Boot because it leverages the standard boot sequence without modifying cryptographically verified components. Furthermore, attackers can load malicious tools from external USB devices once inside the debug shell, completing the compromise.

According to the Report, testing showed that several distributions, including Ubuntu 25.04, Debian 12, Fedora 42, and AlmaLinux 10, are vulnerable, although the method of triggering the debug shell varies. Ubuntu requires only three incorrect password attempts, while Debian grants shell access after holding the RETURN key for about a minute. Although Fedora and AlmaLinux initially lack USB support in initramfs, attackers can reboot and exploit alternate boot entries to gain the needed access. OpenSUSE Tumbleweed, however, is notably immune due to its default use of full boot partition encryption.

To mitigate this attack vector, system administrators are advised to disable debug shells by adding specific kernel parameters: panic=0 for Ubuntu and rd.shell=0 rd.emergency=halt for Red Hat-based systems. Additional defenses include setting bootloader passwords, encrypting boot partitions using LUKS, enabling SSD-level encryption, and adopting Unified Kernel Images (UKIs) that cryptographically bind kernel and initramfs together. Advanced security can also be achieved using Trusted Platform Modules (TPMs) to measure and verify the initramfs at boot time, ensuring the integrity of this crucial component.