diff --git a/.grub2.checksum b/.grub2.checksum
index cd8fe5cb9c0f8414c5618bd348e073a6976637d6..3d4e6521f41d778d0ba60e4da5a955fc3ccdd343 100644
--- a/.grub2.checksum
+++ b/.grub2.checksum
@@ -1 +1 @@
-f3bb6a1273f49e64e58f27e517d6e87621953279326760cc53402df7280ec5ce
+5ca2670114bde4a9a35cb89c8e262abfbbe6fb04af8d1d5c85f77ca3dd33bd11
diff --git a/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
new file mode 100644
index 0000000000000000000000000000000000000000..c6b75f6ef3a5e1e794a115345bcabfe319ad62c4
--- /dev/null
+++ b/SOURCES/0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
@@ -0,0 +1,79 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Tue, 11 Feb 2025 16:38:44 -0600
+Subject: [PATCH] net: Fix OOB write in grub_net_search_config_file()
+
+The function included a call to grub_strcpy() which copied data from an
+environment variable to a buffer allocated in grub_cmd_normal(). The
+grub_cmd_normal() didn't consider the length of the environment variable.
+So, the copy operation could exceed the allocation and lead to an OOB
+write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
+pass the underlying buffers size to the grub_net_search_config_file().
+
+Fixes: CVE-2025-0624
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/net/net.c     | 7 ++++---
+ grub-core/normal/main.c | 2 +-
+ include/grub/net.h      | 2 +-
+ 3 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/grub-core/net/net.c b/grub-core/net/net.c
+index 2512862..6c0bd00 100644
+--- a/grub-core/net/net.c
++++ b/grub-core/net/net.c
+@@ -1971,14 +1971,15 @@ grub_config_search_through (char *config, char *suffix,
+ }
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config)
++grub_net_search_config_file (char *config, grub_size_t config_buf_len)
+ {
+-  grub_size_t config_len;
++  grub_size_t config_len, suffix_len;
+   char *suffix;
+ 
+   config_len = grub_strlen (config);
+   config[config_len] = '-';
+   suffix = config + config_len + 1;
++  suffix_len = config_buf_len - (config_len + 1);
+ 
+   struct grub_net_network_level_interface *inf;
+   FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
+@@ -2004,7 +2005,7 @@ grub_net_search_config_file (char *config)
+ 
+       if (client_uuid)
+         {
+-          grub_strcpy (suffix, client_uuid);
++          grub_strlcpy (suffix, client_uuid, suffix_len);
+           if (grub_config_search_through (config, suffix, 1, 0) == 0)
+             return GRUB_ERR_NONE;
+         }
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 6f6e4a8..49b9472 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -360,7 +360,7 @@ grub_try_normal_prefix (const char *prefix)
+          return err;
+ 
+        grub_snprintf (config, config_len, "%s/grub.cfg", prefix);
+-       err = grub_net_search_config_file (config);
++       err = grub_net_search_config_file (config, config_len);
+       }
+ 
+     if (err != GRUB_ERR_NONE)
+diff --git a/include/grub/net.h b/include/grub/net.h
+index 43eba92..1101b03 100644
+--- a/include/grub/net.h
++++ b/include/grub/net.h
+@@ -648,7 +648,7 @@ void
+ grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
+ 
+ grub_err_t
+-grub_net_search_config_file (char *config);
++grub_net_search_config_file (char *config, grub_size_t config_buf_len);
+ 
+ extern char *grub_net_default_server;
+ 
diff --git a/SOURCES/0354-misc-Implement-grub_strlcpy.patch b/SOURCES/0354-misc-Implement-grub_strlcpy.patch
new file mode 100644
index 0000000000000000000000000000000000000000..722cab9f5017c58434be1948e9aa7dfbfe6533fd
--- /dev/null
+++ b/SOURCES/0354-misc-Implement-grub_strlcpy.patch
@@ -0,0 +1,65 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: B Horn <b@horn.uk>
+Date: Sat, 15 Jun 2024 02:33:08 +0100
+Subject: [PATCH] misc: Implement grub_strlcpy()
+
+grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
+returning the length of src and ensuring dest is always NUL
+terminated except when size is 0.
+
+Signed-off-by: B Horn <b@horn.uk>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 39 insertions(+)
+
+diff --git a/include/grub/misc.h b/include/grub/misc.h
+index 981526644..0592aa68f 100644
+--- a/include/grub/misc.h
++++ b/include/grub/misc.h
+@@ -72,6 +72,45 @@ grub_stpcpy (char *dest, const char *src)
+   return d - 1;
+ }
+ 
++static inline grub_size_t
++grub_strlcpy (char *dest, const char *src, grub_size_t size)
++{
++  char *d = dest;
++  grub_size_t res = 0;
++  /*
++   * We do not subtract one from size here to avoid dealing with underflowing
++   * the value, which is why to_copy is always checked to be greater than one
++   * throughout this function.
++   */
++  grub_size_t to_copy = size;
++
++  /* Copy size - 1 bytes to dest. */
++  if (to_copy > 1)
++    while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
++      ;
++
++  /*
++   * NUL terminate if size != 0. The previous step may have copied a NUL byte
++   * if it reached the end of the string, but we know dest[size - 1] must always
++   * be a NUL byte.
++   */
++  if (size != 0)
++    dest[size - 1] = '\0';
++
++  /* If there is still space in dest, but are here, we reached the end of src. */
++  if (to_copy > 1)
++    return res;
++
++  /*
++   * If we haven't reached the end of the string, iterate through to determine
++   * the strings total length.
++   */
++  while (*src++ != '\0' && ++res)
++   ;
++
++  return res;
++}
++
+ /* XXX: If grub_memmove is too slow, we must implement grub_memcpy.  */
+ static inline void *
+ grub_memcpy (void *dest, const void *src, grub_size_t n)
diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches
index 83edcfbe1825071fa85400cb6f062a8e3109ecb8..c0ee4f682d97d7b1dc3c2860c5a98414821ac3de 100644
--- a/SOURCES/grub.patches
+++ b/SOURCES/grub.patches
@@ -350,3 +350,5 @@ Patch0349: 0349-grub2-mkconfig-Simplify-os_name-detection.patch
 Patch0350: 0350-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch
 Patch0351: 0351-arm64-Use-proper-memory-type-for-kernel-allocation.patch
 Patch0352: 0352-cmd-search-Fix-a-possible-NULL-ptr-dereference.patch
+Patch0353: 0353-net-Fix-OOB-write-in-grub_net_search_config_file.patch
+Patch0354: 0354-misc-Implement-grub_strlcpy.patch
diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec
index 40652f14c030ec2aed8c63130c61b91533374392..9c65c9cf81c57fc67e475911f17583d9a33ea7ec 100644
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@@ -16,7 +16,7 @@
 Name: grub2
 Epoch: 1
 Version: 2.06
-Release: 93%{?dist}
+Release: 94%{?dist}
 Summary: Bootloader with support for Linux, Multiboot and more
 License: GPLv3+
 URL: http://www.gnu.org/software/grub/
@@ -548,7 +548,7 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 %endif
 
 %changelog
-* Tue Feb 04 2025 Release Engineering <releng@rockylinux.org> - 2.06-93
+* Mon Mar 17 2025 Release Engineering <releng@rockylinux.org> - 2.06-94
 - Removing redhat old cert sources entries (Sherif Nagy)
 - Preserving rhel9 sbat entry based on shim-review feedback ticket no. 194
 - Adding prod cert
@@ -557,6 +557,11 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
 - Adding Rocky testing CA, CERT and sbat files
 - Use DER for ppc64le builds from rocky-sb-certs (Louis Abel)
 
+* Thu Feb 20 2025 Nicolas Frayer <nfrayer@redhat.com> 2.06-94
+- CVE fixes
+- Resolves: CVE-2025-0624
+- Resolves: #RHEL-79842
+
 * Wed Oct 16 2024 Nicolas Frayer <nfrayer@redhat.com> 2.06-93
 - cmd/search: Fix a possible NULL ptr dereference
 - Resolves: #RHEL-63828