PatchSiren cyber security CVE debrief
CVE-2025-61662 GNU CVE debrief
CVE-2025-61662 is a high-severity use-after-free in GRUB2’s gettext module. The issue arises when the gettext command remains registered after its module is unloaded, leaving an orphaned command that can access freed memory. The published record centers on crash/denial of service, while the CVSS vector also reflects possible confidentiality and integrity impact.
- Vendor
- GNU
- Product
- GRUB2
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-18
- Original CVE updated
- 2026-05-20
- Advisory published
- 2025-11-18
- Advisory updated
- 2026-05-20
Who should care
Administrators and platform teams responsible for systems that ship or embed GRUB2, especially where affected versions may be present on production servers, workstations, or recovery images. Security teams should also track vendor errata tied to this CVE.
Technical summary
The NVD record maps this issue to CWE-416 and lists affected GRUB2 versions through 2.14. The CVSS vector is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a locally exploitable flaw requiring low privileges and no user interaction. The described programming error is a lifecycle bug: after module unload, the command remains registered in memory, so later invocation can dereference invalid memory. The corpus indicates at least denial of service by crashing grub, and the impact scoring leaves open the possibility of broader confidentiality or integrity effects.
Defensive priority
High. This is a pre-boot component issue with local exploitability and a high CVSS score. Prioritize patching affected GRUB2 deployments and validating boot recovery paths before rollout.
Recommended defensive actions
- Inventory systems using GRUB2 and confirm whether the installed version is 2.14 or earlier.
- Apply the relevant vendor or upstream updates referenced by the CVE record and associated advisories.
- Rebuild and redeploy bootloader packages or images where GRUB2 is embedded in golden images, recovery media, or appliance builds.
- Test boot paths after remediation to confirm the system still starts cleanly and no module-loading regressions were introduced.
- Review local access assumptions on systems with sensitive boot components, since the issue requires local privileges per the CVSS vector.
Evidence notes
The CVE was published on 2025-11-18 and modified on 2026-05-20. The NVD record describes a use-after-free in GRUB’s gettext module caused by a command that stays registered after module unload. NVD maps the weakness to CWE-416 and lists cpe:2.3:a:gnu:grub2:* with vulnerable versions through 2.14. The CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Source references include multiple Red Hat advisories plus GNU mailing list and Openwall patch discussion links, which support that remediation and upstream coordination exist in the source corpus.
Official resources
Publicly disclosed in the CVE/NVD record on 2025-11-18, with later NVD modification on 2026-05-20. The source corpus also points to upstream and vendor advisory references for remediation context.