Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2025-61661
4.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): PHYSICAL
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): NONE
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): LOW
  • Availability impact (A): HIGH
created 3 months, 3 weeks ago
Grub2: out-of-bounds write

A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.

Affected products

grub2
  • =<2.14
rhcos

Matching in nixpkgs

pkgs.grub2_pvgrub_image

PvGrub2 image for booting PV Xen guests

  • nixos-25.11 -
    • nixpkgs-25.11-darwin

pkgs.grub2_pvhgrub_image

PvGrub2 image for booting PVH Xen guests

  • nixos-25.11 -
    • nixpkgs-25.11-darwin

Package maintainers