CVE-2025-61661: GRUB USB String Conv DoS
CVE-2025-61661 Published on November 18, 2025
Grub2: grub2: out-of-bounds write via malicious usb device
A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.
Vulnerability Analysis
CVE-2025-61661 can be exploited with physical access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.
Timeline
Reported to Red Hat.
Made public. 8 days later.
Weakness Type
Incorrect Calculation of Buffer Size
The software does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
Products Associated with CVE-2025-61661
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2025-61661 are published in these products:
Affected Versions
GNU grub2:- Before and including 2.14 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.