Published a set of patches that eliminate 6 vulnerabilities in the GRUB2 bootloader, most of which lead to memory access after it has been freed (use-after-free). These vulnerabilities could potentially allow attackers to bypass the UEFI Secure Boot verified boot mechanism.
The status of vulnerabilities in various distributions can be checked on these pages: Debian, Ubuntu, SUSE, RHEL, Arch, and Fedora.
To address the vulnerabilities in GRUB2, updating the package alone is not sufficient. It is also necessary to generate new internal digital signatures and update installers, boot loaders, kernel packages, fwupd firmware, and shim layer.
Identified vulnerabilities:
- CVE-2025-61661 – an out-of-bounds write in the grub_usb_get_string() function, which can be exploited when processing UTF-8 and UTF-16 encoded strings transmitted when connecting USB devices. Attackers can deceive the system by using modified USB devices to return underestimated size values.
- CVE-2025-61663,
/Reports, release notes, official announcements.