CVE ID: CVE-2025-54771 Severity: Moderate Public Date: November 18, 2025 Last Modified: November 18, 2025 at 6:20:34 PM UTC CVSS v3 Score: 4.9 Description A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded. Additional Information Bugzilla: grub2: Use-after-free in grub_file_close() CWE: CWE-825: Expired Pointer Dereference Affected Packages and Issued Red Hat Security Errata CVSS Scoring System The CVSS v3 Base Score is 4.9. Attack Vector: Local Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: Low Integrity Impact: Low Availability Impact: Low Understanding the Weakness (CWE) CWE-825: Confidentiality, Availability, Integrity Technical Impact: Read Memory, DoS: Crash, Exit, or Restart, Execute Unauthorized Code or Commands If the expired pointer is used in a read operation, an attacker might be able to control data read in by the application. If the expired pointer references a memory location that is not accessible to the product, or points to a location that is "malformed" (such as NULL) or larger than expected by a read or write operation, then a crash may occur. If the expired pointer is used in a function call, or points to unexpected data in a write operation, then code execution may be possible.