CVE-2025-61662Use After Free in Grub2

CWE-416Use After Free8 documents8 sources
Severity
7.8HIGHNVD
EPSS
0.0%
top 98.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU Grub2
Timeline
PublishedNov 18

Description

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality com

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5gnu/grub22.14
NVDgnu/grub22.14

Patches

Patch: www.openwall.com

🔴Vulnerability Details

3
OSV
CVE-2025-61662: A Use-After-Free vulnerability has been discovered in GRUB's gettext module2025-11-18
GHSA
GHSA-g7mr-vm94-3rv7: A Use-After-Free vulnerability has been discovered in GRUB's gettext module2025-11-18
CVEList
Grub2: missing unregister call for gettext command may lead to use-after-free2025-11-18

📋Vendor Advisories

3
Red Hat
grub2: Missing unregister call for gettext command may lead to use-after-free2025-11-18
Microsoft
Grub2: missing unregister call for gettext command may lead to use-after-free2025-11-11
Debian
CVE-2025-61662: grub2 - A Use-After-Free vulnerability has been discovered in GRUB's gettext module. Thi...2025

💬Community

1
Bugzilla
CVE-2025-61662 grub2: Missing unregister call for gettext command may lead to use-after-free2025-11-12
CVE-2025-61662 — Use After Free in GNU Grub2 | cvebase