Bug#1120968: grub2: CVE-2025-54770 CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664

[Salvatore Bonaccorso]

Source: grub2
Version: 2.14~git20250718.0e36779-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerabilities were published for grub2.

CVE-2025-54770[0]:
| A vulnerability has been identified in the GRUB2 bootloader's
| network module that poses an immediate Denial of Service (DoS) risk.
| This flaw is a Use-after-Free issue, caused because the net_set_vlan
| command is not properly unregistered when the network module is
| unloaded from memory. An attacker who can execute this command can
| force the system to access memory locations that are no longer
| valid. Successful exploitation leads directly to system instability,
| which can result in a complete crash and halt system availability


CVE-2025-54771[1]:
| A use-after-free vulnerability has been identified in the GNU GRUB
| (Grand Unified Bootloader). The flaw occurs because the file-closing
| process incorrectly retains a memory pointer, leaving an invalid
| reference to a file system structure. An attacker could exploit this
| vulnerability to cause grub to crash, leading to a Denial of
| Service. Possible data integrity or confidentiality compromise is
| not discarded.


CVE-2025-61661[2]:
| A vulnerability has been identified in the GRUB (Grand Unified
| Bootloader) component. This flaw occurs because the bootloader
| mishandles string conversion when reading information from a USB
| device, allowing an attacker to exploit inconsistent length values.
| A local attacker can connect a maliciously configured USB device
| during the boot sequence to trigger this issue. A successful
| exploitation may lead GRUB to crash, leading to a Denial of Service.
| Data corruption may be also possible, although given the complexity
| of the exploit the impact is most likely limited.


CVE-2025-61662[3]:
| A Use-After-Free vulnerability has been discovered in GRUB's gettext
| module. This flaw stems from a programming error where the gettext
| command remains registered in memory after its module is unloaded.
| An attacker can exploit this condition by invoking the orphaned
| command, causing the application to access a memory location that is
| no longer valid. An attacker could exploit this vulnerability to
| cause grub to crash, leading to a Denial of Service. Possible data
| integrity or confidentiality compromise is not discarded.


CVE-2025-61663[4]:
| A vulnerability has been identified in the GRUB2 bootloader's normal
| command that poses an immediate Denial of Service (DoS) risk. This
| flaw is a Use-after-Free issue, caused because the normal command is
| not properly unregistered when the module is unloaded. An attacker
| who can execute this command can force the system to access memory
| locations that are no longer valid. Successful exploitation leads
| directly to system instability, which can result in a complete crash
| and halt system availability. Impact on the data integrity and
| confidentiality is also not discarded.


CVE-2025-61664[5]:
| A vulnerability in the GRUB2 bootloader has been identified in the
| normal module. This flaw, a memory Use After Free issue, occurs
| because the normal_exit command is not properly unregistered when
| its related module is unloaded. An attacker can exploit this
| condition by invoking the command after the module has been removed,
| causing the system to improperly access a previously freed memory
| location. This leads to a system crash or possible impacts in data
| confidentiality and integrity.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-54770
    https://www.cve.org/CVERecord?id=CVE-2025-54770
[1] https://security-tracker.debian.org/tracker/CVE-2025-54771
    https://www.cve.org/CVERecord?id=CVE-2025-54771
[2] https://security-tracker.debian.org/tracker/CVE-2025-61661
    https://www.cve.org/CVERecord?id=CVE-2025-61661
[3] https://security-tracker.debian.org/tracker/CVE-2025-61662
    https://www.cve.org/CVERecord?id=CVE-2025-61662
[4] https://security-tracker.debian.org/tracker/CVE-2025-61663
    https://www.cve.org/CVERecord?id=CVE-2025-61663
[5] https://security-tracker.debian.org/tracker/CVE-2025-61664
    https://www.cve.org/CVERecord?id=CVE-2025-61664

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore