SB2025112477 - SUSE update for grub2 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025112477

SB2025112477 - SUSE update for grub2

Published: November 24, 2025

Security Bulletin ID SB2025112477
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Physical access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Use-after-free (CVE-ID: CVE-2025-54771)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure within the grub_file_read() function in grub-core/kern/file.c. A local user can trigger a use-after-free error and crash the application. 


2) Out-of-bounds write (CVE-ID: CVE-2025-61661)

The vulnerability allows an attacker to perform a denial of service attack.

The vulnerability exists due to a boundary error within the grub_usb_get_string() function in grub-core/commands/usbtest.c. An attacker with physical access to the system can connect a specially crafted USB device during the boot sequence, trigger an out-of-bounds write and perform a denial of service (DoS) attack.


3) Use-after-free (CVE-ID: CVE-2025-61662)

The vulnerability allows an attacker to perform a denial of service attack.

The vulnerability exists due to a use-after-free error within the grub_cmd_translate() function in grub-core/gettext/gettext.c. An attacker with physical access to the system can perform a denial of service attack. 


4) Use-after-free (CVE-ID: CVE-2025-61663)

The vulnerability allows an attacker to perform a denial of service attack.

The vulnerability exists due to the normal command is not properly unregistered when the module is unloaded. An attacker with physical access to the system can perform a denial of service attack.


5) Use-after-free (CVE-ID: CVE-2025-61664)

The vulnerability allows an attacker to perform a denial of service attack.

The vulnerability exists due to a use-after-free error when the normal_exit command is invoked after the normal module unload. An attacker with physical access to the system can perform a denial of service attack.



Remediation

Install update from vendor's website.

References