CVE-2025-61664 MEDIUM

CVE-2025-61664: Grub2: missing unregister call for normal_exit command may lead to use-after-free

Vendor Gnu
Product grub2
Weakness CWE-825
Published November 18, 2025
Last update May 19, 2026

CVSS base score

4.9/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
May 19, 2026 Record updated