Explore top 10 tips to secure your open-source projects now. Read More
×
Several issues were found in the GRUB2 bootloader, which could result in crashes and potentially execution of arbitrary code. These could lead to bypass of UEFI Secure Boot on affected systems. For Debian 11 bullseye, these problems have been fixed in version 2.06-3~deb11u7.. Debian LTS Advisory DLA-4685-1
An update that solves six vulnerabilities can now be installed. . # Security update for grub2 Announcement ID: SUSE-SU-2026:21621-1 Release Date: 2026-05-11T08:46:20Z Rating: moderate References: * bsc#1252930 * bsc#1252931 * bsc#1252932 * bsc#1252933 * bsc#1252934 * bsc#1252935 Cross-References: * CVE-2025-54770 * CVE-2025-54771 * CVE-2025-61661 * CVE-2025-61662 * CVE-2025-61663 * CVE-2025-61664 CVSS scores: * CVE-2025-54770 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54770 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54770 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54771 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61661 ( SUSE ): 4.3 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2025-61661 ( SUSE ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61661 ( NVD ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61662 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61662 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61662 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-61662 ( NVD ): 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H * CVE-2025-61663 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61663 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61663 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61664 ( SUSE ): 4.9CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: * SUSE Linux Micro 6.0 An update that solves six vulnerabilities can now be installed. ## Description: This update for grub2 fixes the following issues * CVE-2025-54770: Missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930). * CVE-2025-54771: grub_file_close() does not properly controls the fs refcount (bsc#1252931). * CVE-2025-61661: Out-of-bounds write in grub_usb_get_string() function (bsc#1252932). * CVE-2025-61662: Missing unregister call for gettext command may lead to use- after-free (bsc#1252933). * CVE-2025-61663: Missing unregister call for normal commands may lead to use- after-free (bsc#1252934). * CVE-2025-61664: Missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935). Changes for grub2: * Bump upstream SBAT generation to 6 ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-702=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * grub2-2.12~rc1-8.1 * grub2-debugsource-2.12~rc1-8.1 * grub2-debuginfo-2.12~rc1-8.1 * SUSE Linux Micro 6.0 (noarch) * grub2-snapper-plugin-2.12~rc1-8.1 * grub2-arm64-efi-2.12~rc1-8.1 * grub2-i386-pc-2.12~rc1-8.1 * grub2-x86_64-xen-2.12~rc1-8.1 * grub2-x86_64-efi-2.12~rc1-8.1 * SUSE Linux Micro 6.0 (s390x) * grub2-s390x-emu-2.12~rc1-8.1 ## References: * https://www.suse.com/security/cve/CVE-2025-54770.html * https://www.suse.com/security/cve/CVE-2025-54771.html * https://www.suse.com/security/cve/CVE-2025-61661.html *https://www.suse.com/security/cve/CVE-2025-61662.html * https://www.suse.com/security/cve/CVE-2025-61663.html * https://www.suse.com/security/cve/CVE-2025-61664.html * https://bugzilla.suse.com/show_bug.cgi?id=1252930 * https://bugzilla.suse.com/show_bug.cgi?id=1252931 * https://bugzilla.suse.com/show_bug.cgi?id=1252932 * https://bugzilla.suse.com/show_bug.cgi?id=1252933 * https://bugzilla.suse.com/show_bug.cgi?id=1252934 * https://bugzilla.suse.com/show_bug.cgi?id=1252935 . An update for SUSE Grub2 addresses six vulnerabilities, recommended for improved system security.. SUSE Grub2 Security Update, Moderate Vulnerabilities, Linux Micro Update. . Severity: Critical. LinuxSecurity.com Team
The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-5233 http://linux.oracle.com/errata/ELSA-2026-5233.html The following updated rpms for Oracle Linux 7 have been uploaded to the Unbreakable Linux Network: x86_64: grub2-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-common-2.02-0.87.0.29.el7_9.14.noarch.rpm grub2-efi-ia32-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-efi-ia32-cdboot-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-efi-ia32-modules-2.02-0.87.0.29.el7_9.14.noarch.rpm grub2-efi-x64-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-efi-x64-cdboot-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-efi-x64-modules-2.02-0.87.0.29.el7_9.14.noarch.rpm grub2-pc-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-pc-modules-2.02-0.87.0.29.el7_9.14.noarch.rpm grub2-tools-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-tools-extra-2.02-0.87.0.29.el7_9.14.x86_64.rpm grub2-tools-minimal-2.02-0.87.0.29.el7_9.14.x86_64.rpm SRPMS: http://oss.oracle.com/ol7/SRPMS-updates/grub2-2.02-0.87.0.29.el7_9.14.src.rpm Related CVEs: CVE-2025-61662 Description of changes: [2.02-0.87.0.29.el7.14] - Unregister gettext command on module unload [CVE-2025-61662][Orabug: 39112125] [2.02-0.87.0.27.el7.14] - Fix OOB write in grub_net_search_config_file() CVE-2025-0624 [Orabug: 37770226] - Also adds implementation of grub_strlcpy() for clean backport [2.02-0.87.0.26.el7.14] - Replace bugzilla.oracle.com reference [Orabug: 35477723] - Backport kernel EFI allocation pacthes [Orabug: 34301086] - Add to the list CVE-2021-3695, CVE-2021-3696, CVE-2021-3697, CVE-2022-28734, CVE-2022-28735, CVE-2022-28736 [JIRA: OLDIS-16371] - bump SBAT generation [JIRA: OLDIS-16371] - Cleanup XEN shell script (Alex Burmashev) [Orabug: 33851417] - Update SBAT data (Alex Burmashev) [Orabug: 33851417] - efinet: change SNP open call (Alex Burmashev) [Orabug: 32646964] - disable buggy 0183-efinet-retransmit-if-our-device-is-busy.patch [Orabug: 27982684] - Patch multiboot2 to the recent state [Orabug:32950597] - Enable multiboot2 for UEFI ( non Secureboot ) mode [Orabug: 32950597] - Update signing certificate [Orabug: 32670043] - Update shim and certificates dependencies [Orabug: 32670043] - xfs: Don't attempt to iterate over empty directory [Orabug: 32584717] - add SBAT metadata for Oracle Linux grub2 - Use similar format for menu entry in grub environment block - config file. [Orabug: 32172943] - Fix degradation in multiboot2 code [Orabug: 32069510] - Update signing certificate for efi binaries - Update upstream references [Orabug: 30138841] - Restore symlink to grub environment file, that was removed during grub2-efi update if grub2 package is also installed on UEFI machines [Orabug: 27345750] - fix symlink removal scriptlet, to be executed only on removal [Orabug: 19231481] - Fix comparison in patch for [Orabug: 18504756] - Remove symlink to grub environment file during uninstall on EFI platforms [Orabug: 19231481] - replace dynamic EFI boot folder path generation with predefined 'redhat' (Alex Burmashev) - Put "with" in menuentry instead of "using" [Orabug: 18504756] - Use different titles for UEK and RHCK kernels [Orabug: 18504756] [2.02-087.el7.14] - Rebuild for signing - Related: RHEL-23460 [2.02-087.el7.13] - safemath: add grub_cast for gcc < 5.1 - Related: RHEL-23460 [2.02-087.el7.12] - Font CVE fixes and bump SBAT (CVE-2022-2601) - Resolves: RHEL-23460 [2.02-087.el7.11] - Bump sbat - Resolves: CVE-2022-28733 [2.02-087.el7.10] - Backport the relevant CVE fixes from the 2022-05-24 drop - Resolves: CVE-2022-28733 [2.02-087.el7.9] - Bump for signing - Resolves: #1892860 [2.02-0.87.el7.8] - Fix accidental reboot in grub_exit - Resolves: #1892860 _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-4760 http://linux.oracle.com/errata/ELSA-2026-4760.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: grub2-common-2.06-114.0.1.el9_7.1.noarch.rpm grub2-efi-aa64-modules-2.06-114.0.1.el9_7.1.noarch.rpm grub2-efi-x64-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-efi-x64-cdboot-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-efi-x64-modules-2.06-114.0.1.el9_7.1.noarch.rpm grub2-pc-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-pc-modules-2.06-114.0.1.el9_7.1.noarch.rpm grub2-tools-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-tools-efi-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-tools-extra-2.06-114.0.1.el9_7.1.x86_64.rpm grub2-tools-minimal-2.06-114.0.1.el9_7.1.x86_64.rpm aarch64: grub2-common-2.06-114.0.1.el9_7.1.noarch.rpm grub2-efi-aa64-2.06-114.0.1.el9_7.1.aarch64.rpm grub2-efi-aa64-cdboot-2.06-114.0.1.el9_7.1.aarch64.rpm grub2-efi-aa64-modules-2.06-114.0.1.el9_7.1.noarch.rpm grub2-efi-x64-modules-2.06-114.0.1.el9_7.1.noarch.rpm grub2-tools-2.06-114.0.1.el9_7.1.aarch64.rpm grub2-tools-extra-2.06-114.0.1.el9_7.1.aarch64.rpm grub2-tools-minimal-2.06-114.0.1.el9_7.1.aarch64.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/grub2-2.06-114.0.1.el9_7.1.src.rpm Related CVEs: CVE-2025-61662 Description of changes: [2.06-114.0.1.el9_7.1] - Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] - Fix typo in SBAT metadata [Orabug: 37693946] - Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] - net/dns: Fix removal of DNS server [Orabug: 37539625] - net/dns: Simplify error handling of recv_hook() function [Orabug: 37539625] - net/dns: Add debugging messages in recv_hook() function [Orabug: 37539625] - net/dns: Fix lookup error when no IPv6 is returned [Orabug: 37539625] - efinet: close and reopen network card on failure [Orabug: 35126950], [Orabug: 37747175] -efinet: Correct closing of SNP protocol [Orabug: 35126950], [Orabug: 37747175] - Support setting custom kernels as default kernels [Orabug: 36043978] - Bump SBAT metadata for grub to 3 [Orabug: 34872719] - Fix CVE-2022-3775 [Orabug: 34871953] - Enable signing for aarch64 EFI - Fix signing certificate names - Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] - Replaced bugzilla.oracle.com references [Orabug: 34202300] - Update provided certificate version to 202204 [JIRA: OLDIS-16371] - Various coverity fixes [JIRA: OLDIS-16371] - bump SBAT generation - Update bug url [Orabug: 34202300] - Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] - Update signing certificate [JIRA: OLDIS-16371] - fix SBAT data [JIRA: OLDIS-16371] - Update requires [JIRA: OLDIS-16371] - Rebuild for SecureBoot signatures [Orabug: 33801813] - Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] - Update Oracle SBAT data [Orabug: 32670033] - Use new signing certificate [Orabug: 32670033] - honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] - set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] - Update upstream references [Orabug: 26388226] - Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] - Put "with" in menuentry instead of "using" [Orabug: 18504756] - Use different titles for UEK and RHCK kernels [Orabug: 18504756] [2.06-114.1] - Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free - Resolves: #RHEL-141593 _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-4648 http://linux.oracle.com/errata/ELSA-2026-4648.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: grub2-common-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-aa64-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-ia32-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-efi-ia32-cdboot-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-efi-ia32-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-x64-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-efi-x64-cdboot-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-efi-x64-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-pc-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-pc-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-tools-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-tools-efi-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-tools-extra-2.02-170.0.1.el8_10.1.x86_64.rpm grub2-tools-minimal-2.02-170.0.1.el8_10.1.x86_64.rpm aarch64: grub2-common-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-aa64-2.02-170.0.1.el8_10.1.aarch64.rpm grub2-efi-aa64-cdboot-2.02-170.0.1.el8_10.1.aarch64.rpm grub2-efi-aa64-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-ia32-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-efi-x64-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-pc-modules-2.02-170.0.1.el8_10.1.noarch.rpm grub2-tools-2.02-170.0.1.el8_10.1.aarch64.rpm grub2-tools-extra-2.02-170.0.1.el8_10.1.aarch64.rpm grub2-tools-minimal-2.02-170.0.1.el8_10.1.aarch64.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/grub2-2.02-170.0.1.el8_10.1.src.rpm Related CVEs: CVE-2025-61662 Description of changes: [2.02-170.0.1.el8_10.1] - Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] - Fix typo in SBAT metadata [Orabug: 37693946] - Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] - net/dns: Fix removal of DNS server [Orabug: 37539625] - net/dns: Simplify error handling ofrecv_hook() function [Orabug: 37539625] - net/dns: Add debugging messages in recv_hook() function [Orabug: 37539625] - net/dns: Fix lookup error when no IPv6 is returned [Orabug: 37539625] - Use correct os_name on OL - Backport the support for setting custom kernels as default kernels [Orabug: 36690061] - Restore correct SBAT entries - Replaced bugzilla.oracle.com references [Orabug: 35475894] - efinet: Close and reopen card on failure [Orabug: 35126950] - Fix CVE-2022-3775 [Orabug: 34867710] - Bump SBAT metadata for grub to 3 [Orabug: 34871758] - Enable signing on aarch64 - Don't try to switch to a BLS config if GRUB_ENABLE_BLSCFG is already set (Javier Martinez Canillas) [Orabug: 34375996] - Enable back btrfs module by default [Orabug: 34377188] - Backport upstream SNP protocol fixes [Orabug: 34195100] - Rebase Fix EFI loader kernel image allocation patch, adapt it to new NX code [Orabug: 34352232] - enable multiboot2 [Orabug: 34285558] - backport arm64: Fix EFI loader kernel image allocation [Orabug: 33702462] - backport Arm: check for the PE magic for the compiled arch [Orabug: 33702462] - Backport some better script logic for BTRFS support [Orabug: 32448171] - Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] - Update Oracle SBAT data [Orabug: 32670033] - Use new signing certificate [Orabug: 32670033] - Fix various coverity issues [Orabug: 32530657] - Set proper blsdir if /boot is on btrfs rootfs [Orabug: 32063327] - Add CVE-2020-15706, CVE-2020-15707 to the list [Orabug: 31225072] - honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] - set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] - Update upstream references [Orabug: 26388226] - Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] - fix symlink removal scriptlet, to be executed only on removal [Orabug: 19231481] - Fix comparison in patch for 18504756 - Remove symlink to grub environment file during uninstall on EFI platforms [Orabug: 19231481] - Put"with" in menuentry instead of "using" [Orabug: 18504756] - Use different titles for UEK and RHCK kernels [Orabug: 18504756] [2.02-170.1] - Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free - Resolves: #RHEL-141583 [2.02-170] - fs/xfs/ppc64le: Update xfs code to fix install on 4KB block size - Resolves: #RHEL-142208 _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-4649 http://linux.oracle.com/errata/ELSA-2026-4649.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: grub2-common-2.12-29.0.1.el10_1.2.noarch.rpm grub2-efi-aa64-modules-2.12-29.0.1.el10_1.2.noarch.rpm grub2-efi-x64-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-efi-x64-cdboot-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-efi-x64-modules-2.12-29.0.1.el10_1.2.noarch.rpm grub2-pc-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-pc-modules-2.12-29.0.1.el10_1.2.noarch.rpm grub2-tools-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-tools-efi-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-tools-extra-2.12-29.0.1.el10_1.2.x86_64.rpm grub2-tools-minimal-2.12-29.0.1.el10_1.2.x86_64.rpm aarch64: grub2-common-2.12-29.0.1.el10_1.2.noarch.rpm grub2-efi-aa64-2.12-29.0.1.el10_1.2.aarch64.rpm grub2-efi-aa64-cdboot-2.12-29.0.1.el10_1.2.aarch64.rpm grub2-efi-aa64-modules-2.12-29.0.1.el10_1.2.noarch.rpm grub2-efi-x64-modules-2.12-29.0.1.el10_1.2.noarch.rpm grub2-tools-2.12-29.0.1.el10_1.2.aarch64.rpm grub2-tools-extra-2.12-29.0.1.el10_1.2.aarch64.rpm grub2-tools-minimal-2.12-29.0.1.el10_1.2.aarch64.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/grub2-2.12-29.0.1.el10_1.2.src.rpm Related CVEs: CVE-2025-61662 Description of changes: [2.12-29.0.1.el10_1.2] - efinet: Close and reopen card on failure [Orabug: 37808688] - Update grub2 dependencies to match new Secure Boot certificate chain of trust [Orabug: 37766761] - Fix typo in SBAT metadata [Orabug: 37693946] - Allow installation of grub2 only with shim-aa64 that allows booting it [Orabug: 37693946] - Enable btrfs module [Orabug: 37412995] - Restored shim related conflicts and provide. [Orabug: 37376920] - Rework the scripts to cover both in-place upgrade and update scenarios [Orabug: 36768566] - Support setting custom kernels as default kernels [Orabug: 36043978] - Bump SBAT metadata for grub to 3 [Orabug:34872719] - Fix CVE-2022-3775 [Orabug: 34871953] - Enable signing for aarch64 EFI - Fix signing certificate names - Enable back btrfs grub module for EFI pre-built image [Orabug: 34360986] - Replaced bugzilla.oracle.com references [Orabug: 34202300] - Update provided certificate version to 202204 [JIRA: OLDIS-16371] - Various coverity fixes [JIRA: OLDIS-16371] - bump SBAT generation - Update bug url [Orabug: 34202300] - Revert provided certificate version back to 202102 [JIRA: OLDIS-16371] - Update signing certificate [JIRA: OLDIS-16371] - fix SBAT data [JIRA: OLDIS-16371] - Update requires [JIRA: OLDIS-16371] - Rebuild for SecureBoot signatures [Orabug: 33801813] - Do not add shim and grub certificate deps for aarch64 packages [Orabug: 32670033] - Update Oracle SBAT data [Orabug: 32670033] - Use new signing certificate [Orabug: 32670033] - honor /etc/sysconfig/kernel DEFAULTKERNEL setting for BLS [Orabug: 30643497] - set EFIDIR as redhat for additional grub2 tools [Orabug: 29875597] - Update upstream references [Orabug: 26388226] - Insert Unbreakable Enterprise Kernel text into BLS config file [Orabug: 29417955] - Put "with" in menuentry instead of "using" [Orabug: 18504756] - Use different titles for UEK and RHCK kernels [Orabug: 18504756] [2.12-29.2] - Try to get gating tests running via fmf/tmt - Resolves: #RHEL-152849 [2.12-29.1] - Fixes CVE-2025-61662 Missing unregister call for gettext command may lead to use-after-free - Resolves: #RHEL-141580 _______________________________________________ El-errata mailing list
An update that solves seven vulnerabilities and has seven fixes can now be installed.. # Security update for grub2 Announcement ID: SUSE-SU-2025:21212-1 Release Date: 2025-12-15T12:52:50Z Rating: important References: * bsc#1234959 * bsc#1245636 * bsc#1245738 * bsc#1245953 * bsc#1246231 * bsc#1247242 * bsc#1249088 * bsc#1249385 * bsc#1252930 * bsc#1252931 * bsc#1252932 * bsc#1252933 * bsc#1252934 * bsc#1252935 Cross-References: * CVE-2024-56738 * CVE-2025-54770 * CVE-2025-54771 * CVE-2025-61661 * CVE-2025-61662 * CVE-2025-61663 * CVE-2025-61664 CVSS scores: * CVE-2024-56738 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2024-56738 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2024-56738 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-54770 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54770 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54770 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54771 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61661 ( SUSE ): 4.3 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2025-61661 ( SUSE ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61661 ( NVD ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61662 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61662 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61662 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61663 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61663 (SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61663 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61664 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: * SUSE Linux Enterprise Server 16.0 * SUSE Linux Enterprise Server for SAP Applications 16.0 An update that solves seven vulnerabilities and has seven fixes can now be installed. ## Description: This update for grub2 fixes the following issues: Changes in grub2: * CVE-2025-54771: Fixed grub_file_close() does not properly controls the fs refcount (bsc#1252931) * CVE-2025-54770: Fixed missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930) * CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933) * CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934) * CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935) * CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932) * Bump upstream SBAT generation to 6 * Fix "sparse file not allowed" error after grub2-reboot (bsc#1245738) * Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385) * turn off page flipping for i386-pc using VBE video backend (bsc#1245636) * Fix boot hangs in setting up serial console when ACPI SPCR table is present and redirection is disabled (bsc#1249088) * Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953) * Skip mount point in grub_find_device function (bsc#1246231) * CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) ## PatchInstructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 16.0 zypper in -t patch SUSE-SLES-16.0-106=1 * SUSE Linux Enterprise Server for SAP Applications 16.0 zypper in -t patch SUSE-SLES-16.0-106=1 ## Package List: * SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64) * grub2-common-debuginfo-2.12-160000.3.1 * grub2-2.12-160000.3.1 * grub2-common-2.12-160000.3.1 * SUSE Linux Enterprise Server 16.0 (noarch) * grub2-systemd-sleep-plugin-2.12-160000.3.1 * grub2-x86_64-efi-2.12-160000.3.1 * grub2-arm64-efi-2.12-160000.3.1 * grub2-snapper-plugin-2.12-160000.3.1 * grub2-powerpc-ieee1275-2.12-160000.3.1 * grub2-i386-pc-2.12-160000.3.1 * SUSE Linux Enterprise Server 16.0 (aarch64 s390x x86_64) * grub2-debugsource-2.12-160000.3.1 * SUSE Linux Enterprise Server 16.0 (s390x) * grub2-s390x-emu-2.12-160000.3.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (ppc64le x86_64) * grub2-common-debuginfo-2.12-160000.3.1 * grub2-2.12-160000.3.1 * grub2-common-2.12-160000.3.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (x86_64) * grub2-debugsource-2.12-160000.3.1 * SUSE Linux Enterprise Server for SAP Applications 16.0 (noarch) * grub2-systemd-sleep-plugin-2.12-160000.3.1 * grub2-x86_64-efi-2.12-160000.3.1 * grub2-snapper-plugin-2.12-160000.3.1 * grub2-powerpc-ieee1275-2.12-160000.3.1 * grub2-i386-pc-2.12-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2024-56738.html * https://www.suse.com/security/cve/CVE-2025-54770.html * https://www.suse.com/security/cve/CVE-2025-54771.html * https://www.suse.com/security/cve/CVE-2025-61661.html * https://www.suse.com/security/cve/CVE-2025-61662.html * https://www.suse.com/security/cve/CVE-2025-61663.html *https://www.suse.com/security/cve/CVE-2025-61664.html * https://bugzilla.suse.com/show_bug.cgi?id=1234959 * https://bugzilla.suse.com/show_bug.cgi?id=1245636 * https://bugzilla.suse.com/show_bug.cgi?id=1245738 * https://bugzilla.suse.com/show_bug.cgi?id=1245953 * https://bugzilla.suse.com/show_bug.cgi?id=1246231 * https://bugzilla.suse.com/show_bug.cgi?id=1247242 * https://bugzilla.suse.com/show_bug.cgi?id=1249088 * https://bugzilla.suse.com/show_bug.cgi?id=1249385 * https://bugzilla.suse.com/show_bug.cgi?id=1252930 * https://bugzilla.suse.com/show_bug.cgi?id=1252931 * https://bugzilla.suse.com/show_bug.cgi?id=1252932 * https://bugzilla.suse.com/show_bug.cgi?id=1252933 * https://bugzilla.suse.com/show_bug.cgi?id=1252934 * https://bugzilla.suse.com/show_bug.cgi?id=1252935 . SUSE Linux updates for grub2 address seven important issues including use-after-free vulnerabilities effectively.. SUSE Linux, grub2 update, important security update, use-after-free issue, Linux vulnerabilities. . Severity: Important. LinuxSecurity.com Team
An update that solves seven vulnerabilities and has seven fixes can now be installed.. # Security update for grub2 Announcement ID: SUSE-SU-2025:21223-1 Release Date: 2025-12-15T12:50:52Z Rating: important References: * bsc#1234959 * bsc#1245636 * bsc#1245738 * bsc#1245953 * bsc#1246231 * bsc#1247242 * bsc#1249088 * bsc#1249385 * bsc#1252930 * bsc#1252931 * bsc#1252932 * bsc#1252933 * bsc#1252934 * bsc#1252935 Cross-References: * CVE-2024-56738 * CVE-2025-54770 * CVE-2025-54771 * CVE-2025-61661 * CVE-2025-61662 * CVE-2025-61663 * CVE-2025-61664 CVSS scores: * CVE-2024-56738 ( SUSE ): 5.7 CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2024-56738 ( SUSE ): 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N * CVE-2024-56738 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2025-54770 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54770 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54770 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-54771 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-54771 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61661 ( SUSE ): 4.3 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N * CVE-2025-61661 ( SUSE ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61661 ( NVD ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H * CVE-2025-61662 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61662 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61662 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61663 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61663 (SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61663 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2025-61664 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-61664 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Affected Products: * SUSE Linux Micro 6.2 An update that solves seven vulnerabilities and has seven fixes can now be installed. ## Description: This update for grub2 fixes the following issues: Changes in grub2: * CVE-2025-54771: Fixed grub_file_close() does not properly controls the fs refcount (bsc#1252931) * CVE-2025-54770: Fixed missing unregister call for net_set_vlan command may lead to use-after-free (bsc#1252930) * CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933) * CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934) * CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935) * CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932) * Bump upstream SBAT generation to 6 * Fix "sparse file not allowed" error after grub2-reboot (bsc#1245738) * Fix PowerPC network boot prefix to correctly locate grub.cfg (bsc#1249385) * turn off page flipping for i386-pc using VBE video backend (bsc#1245636) * Fix boot hangs in setting up serial console when ACPI SPCR table is present and redirection is disabled (bsc#1249088) * Fix timeout when loading initrd via http after PPC CAS reboot (bsc#1245953) * Skip mount point in grub_find_device function (bsc#1246231) * CVE-2024-56738: Fixed side-channel attack due to not constant-time algorithm in grub_crypto_memcmp (bsc#1234959) ## Patch Instructions: To install this SUSE update use the SUSE recommendedinstallation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-106=1 ## Package List: * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) * grub2-common-debuginfo-2.12-160000.3.1 * grub2-2.12-160000.3.1 * grub2-common-2.12-160000.3.1 * SUSE Linux Micro 6.2 (aarch64 s390x x86_64) * grub2-debugsource-2.12-160000.3.1 * SUSE Linux Micro 6.2 (noarch) * grub2-x86_64-xen-2.12-160000.3.1 * grub2-x86_64-efi-2.12-160000.3.1 * grub2-arm64-efi-2.12-160000.3.1 * grub2-snapper-plugin-2.12-160000.3.1 * grub2-powerpc-ieee1275-2.12-160000.3.1 * grub2-i386-pc-2.12-160000.3.1 * SUSE Linux Micro 6.2 (s390x) * grub2-s390x-emu-2.12-160000.3.1 ## References: * https://www.suse.com/security/cve/CVE-2024-56738.html * https://www.suse.com/security/cve/CVE-2025-54770.html * https://www.suse.com/security/cve/CVE-2025-54771.html * https://www.suse.com/security/cve/CVE-2025-61661.html * https://www.suse.com/security/cve/CVE-2025-61662.html * https://www.suse.com/security/cve/CVE-2025-61663.html * https://www.suse.com/security/cve/CVE-2025-61664.html * https://bugzilla.suse.com/show_bug.cgi?id=1234959 * https://bugzilla.suse.com/show_bug.cgi?id=1245636 * https://bugzilla.suse.com/show_bug.cgi?id=1245738 * https://bugzilla.suse.com/show_bug.cgi?id=1245953 * https://bugzilla.suse.com/show_bug.cgi?id=1246231 * https://bugzilla.suse.com/show_bug.cgi?id=1247242 * https://bugzilla.suse.com/show_bug.cgi?id=1249088 * https://bugzilla.suse.com/show_bug.cgi?id=1249385 * https://bugzilla.suse.com/show_bug.cgi?id=1252930 * https://bugzilla.suse.com/show_bug.cgi?id=1252931 * https://bugzilla.suse.com/show_bug.cgi?id=1252932 * https://bugzilla.suse.com/show_bug.cgi?id=1252933 * https://bugzilla.suse.com/show_bug.cgi?id=1252934 * https://bugzilla.suse.com/show_bug.cgi?id=1252935 . An important security update for grub2addresses multiple vulnerabilities with fixes available now. Review for installation.. SUSE Linux, grub2 security, patch update, software vulnerabilities, Linux admin. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.