DEBIAN-CVE-2025-61661

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-61661
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61661.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-61661
Upstream
  • CVE-2025-61661
Published
2025-11-18T19:15:49.973Z
Modified
2025-11-20T10:33:15.219881Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVSS Calculator
Summary
[none]
Details

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

References

Affected packages

Debian:11 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.04-20
2.06-1
2.06-2
2.06-2+hurd.1
2.06-2+hurd.2
2.06-2+hurd.3
2.06-2+hurd.4
2.06-2+hurd.5
2.06-2+hurd.6
2.06-2+hurd.7
2.06-2+hurd.8
2.06-3~deb10u1
2.06-3~deb10u2
2.06-3~deb10u3
2.06-3~deb10u4
2.06-3~deb11u1
2.06-3~deb11u2
2.06-3~deb11u4
2.06-3~deb11u5
2.06-3~deb11u6
2.06-3
2.06-4
2.06-4+hurd.1
2.06-5
2.06-6
2.06-7
2.06-8
2.06-8+hurd.1
2.06-8.1
2.06-9
2.06-10
2.06-11
2.06-12
2.06-13
2.06-13+hurd.1
2.06-13+hurd.2
2.06-14
2.12~rc1-1
2.12~rc1-2
2.12~rc1-3
2.12~rc1-6
2.12~rc1-7
2.12~rc1-8
2.12~rc1-9
2.12~rc1-10
2.12~rc1-11
2.12~rc1-12
2.12~rc1-13
2.12-1~bpo12+1
2.12-1
2.12-1.1
2.12-2~deb13u1
2.12-2
2.12-3
2.12-4
2.12-5
2.12-5+hurd.1
2.12-6
2.12-7
2.12-8
2.12-9
2.12-9+hurd.1
2.14~git20250718.0e36779-1
2.14~git20250718.0e36779-2
2.14-1
2.14-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61661.json"

Debian:12 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.06-13
2.06-13+deb12u1
2.06-13+hurd.1
2.06-13+hurd.2
2.06-14
2.12~rc1-1
2.12~rc1-2
2.12~rc1-3
2.12~rc1-6
2.12~rc1-7
2.12~rc1-8
2.12~rc1-9
2.12~rc1-10
2.12~rc1-11
2.12~rc1-12
2.12~rc1-13
2.12-1~bpo12+1
2.12-1
2.12-1.1
2.12-2~deb13u1
2.12-2
2.12-3
2.12-4
2.12-5
2.12-5+hurd.1
2.12-6
2.12-7
2.12-8
2.12-9
2.12-9+hurd.1
2.14~git20250718.0e36779-1
2.14~git20250718.0e36779-2
2.14-1
2.14-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61661.json"

Debian:13 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.12-9
2.12-9+deb13u1
2.12-9+hurd.1
2.14~git20250718.0e36779-1
2.14~git20250718.0e36779-2
2.14-1
2.14-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61661.json"

Debian:14 / grub2

Package

Name
grub2
Purl
pkg:deb/debian/grub2?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*
2.12-9
2.12-9+hurd.1
2.14~git20250718.0e36779-1
2.14~git20250718.0e36779-2
2.14-1
2.14-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61661.json"