PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-54770 GNU CVE debrief

A Use-after-Free vulnerability in the GRUB2 bootloader's network module allows attackers with local access to trigger system instability and denial of service. The flaw occurs because the `net_set_vlan` command remains registered after the network module is unloaded, enabling access to freed memory. Published November 18, 2025, and last modified May 19, 2026.

Vendor
GNU
Product
GRUB2
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2025-11-18
Original CVE updated
2026-05-19
Advisory published
2025-11-18
Advisory updated
2026-05-19

Who should care

System administrators managing Linux servers with network boot capabilities, security teams responsible for bootloader integrity, and organizations relying on GRUB2 for pre-boot authentication or network-based provisioning workflows.

Technical summary

The GRUB2 bootloader's network module fails to properly unregister the `net_set_vlan` command when unloaded. This Use-after-Free condition (CWE-825) allows an attacker with local access to execute the command against freed memory, causing system crashes and availability loss. The vulnerability requires local attack vector with high attack complexity per CVSS 3.1 scoring.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor-provided GRUB2 updates when available from your Linux distribution
  • Verify network module unloading behavior in GRUB2 configurations
  • Monitor system logs for unexpected crashes during network boot operations
  • Review boot loader security configurations in high-availability environments

Evidence notes

Vulnerability description sourced from NVD record with CVSS 3.1 vector AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. Red Hat Bugzilla entry 2413813 and GNU GRUB development list discussion confirm technical details. Categorized as CWE-825 (Expired Pointer Dereference).

Official resources

public