Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2025-61662

4.9 MEDIUM

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 3 months, 3 weeks ago

Grub2: missing unregister call for gettext command may lead to use-after-free

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.

References

https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5
https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5
https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5
https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5
https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5
https://access.redhat.com/security/cve/CVE-2025-61662 vdb-entryx_refsource_REDHAT
RHBZ#2414683 x_refsource_REDHATissue-tracking
http://www.openwall.com/lists/oss-security/2025/11/18/5

Affected products

grub2

=<2.14

rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

nixos-25.11 -
- nixpkgs-25.11-darwin

Package maintainers

@hehongbo Hongbo
@CertainLach Yaroslav Bolyukin <iam@lach.pw>
@digitalrane Rane <rane+git@junkyard.systems>
@SigmaSquadron Fernando Rodrigues <alpha@sigmasquadron.net>