PatchSiren cyber security CVE debrief
CVE-2025-61664 Red Hat CVE debrief
A Use-After-Free vulnerability in the GRUB2 bootloader's normal module allows system crashes and potential confidentiality/integrity impacts when the normal_exit command is invoked after its module is unloaded.
- Vendor
- Red Hat
- Product
- GRUB2
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2025-11-18
- Advisory updated
- 2026-05-19
Who should care
System administrators managing Linux/Unix systems using GRUB2; security teams responsible for boot chain integrity; organizations with physical security requirements for endpoint devices.
Technical summary
The GRUB2 bootloader's normal module fails to properly unregister the normal_exit command when the module is unloaded. An attacker with local access can trigger this Use-After-Free condition by invoking normal_exit after module removal, causing access to freed memory. This results in denial of service (system crash) and may impact data confidentiality and integrity. The attack requires local access and high complexity due to timing constraints, with no privileges required and no user interaction needed.
Defensive priority
medium
Recommended defensive actions
- Apply GRUB2 updates from distribution vendor when available
- Restrict physical and console access to systems using GRUB2
- Monitor for unexpected system crashes during boot process
- Review secure boot configurations to reduce attack surface
Evidence notes
CVSS 3.1 score 4.9 (Medium) with vector AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L per NVD. CWE-825 (Expired Pointer Dereference) identified. Vendor attribution to Red Hat based on reference domain evidence with low confidence; requires review.
Official resources
Published 2025-11-18; modified 2026-05-19. No CISA KEV entry.