CVE-2025-61662: Grub2: missing unregister call for gettext command may lead to use-after-free
A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
Security readout for executives and security teams
Plain-English summary
This is a local GRUB2 bootloader flaw. A gettext command can remain callable after its module is unloaded, causing use of freed memory. The confirmed impact is a bootloader crash and denial of service; the source does not rule out data exposure or tampering.
Executive priority
Treat as high priority for Linux infrastructure hygiene, especially critical servers and OpenShift clusters. It is not described as remotely exploitable or actively exploited, but bootloader denial of service can create recovery and availability risk.
Technical view
CVE-2025-61662 is CWE-416 in GRUB2 gettext module lifecycle handling. The command is not unregistered on unload, leaving an orphaned callable command pointer. CVSS 3.1 is 7.8, local attack vector, low complexity, low privileges, no user interaction, with high CIA impacts assigned.
Likely exposure
Exposure is concentrated on affected Red Hat Enterprise Linux 7 ELS, 8, 9, 10 streams and OpenShift RHCOS 4.12 and 4.13 nodes carrying listed grub2 or rhcos package versions.
Exploitation context
The source bundle marks KEV as false and provides no evidence of active exploitation. Exploitation is local, not remote internet-facing. Confirmed consequence is denial of service through GRUB crash; broader confidentiality or integrity impact is possible but not proven in the bundle.
Researcher notes
The interesting control point is module unload cleanup. Review whether gettext command registration state can persist after unload and whether invocation reaches freed memory. The provided evidence supports local DoS and leaves CIA escalation unresolved.
Mitigation direction
Apply the relevant Red Hat security errata for each affected RHEL or OpenShift stream.
Prioritize boot-critical servers, virtualization hosts, and OpenShift worker and control-plane nodes.
Check vendor guidance before applying workarounds not named in the advisories.
Schedule reboot or bootloader update procedures according to Red Hat guidance.
Validation and detection
Inventory grub2 and rhcos versions across RHEL and OpenShift assets.
Map assets to the affected product streams and package versions in the CVE record.
Confirm applicable RHSA advisories are installed for each supported lifecycle stream.
Verify no unsupported or ELS systems are omitted from patch reporting.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-416: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-416 · source CWE mapping
Use After Free
Use After Free represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.