CVE-2025-61661 MEDIUM

CVE-2025-61661: Grub2: grub2: out-of-bounds write via malicious usb device

Vendor Gnu
Product grub2
Weakness CWE-131
Published November 18, 2025
Last update December 19, 2025

CVSS base score

4.8/10
Attack vector Physical
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
December 19, 2025 Record updated