CVE-2025-54771

NameCVE-2025-54771
DescriptionA use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1120968

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
grub2 (PTS)bullseye (security), bullseye2.06-3~deb11u6vulnerable
bookworm, bookworm (security)2.06-13+deb12u1vulnerable
forky, trixie2.12-9vulnerable
sid2.14~git20250718.0e36779-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
grub2source(unstable)(unfixed)1120968

Notes

https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=c4fb4cbc941981894a00ba8e75d634a41967a27f
Search for package or bug name: Reporting problems