Security update for grub2

Announcement ID:	SUSE-SU-2025:4197-1
Release Date:	2025-11-24T11:04:07Z
Rating:	moderate
References:	bsc#1252931 bsc#1252932 bsc#1252933 bsc#1252934 bsc#1252935
Cross-References:	CVE-2025-54771 CVE-2025-61661 CVE-2025-61662 CVE-2025-61663 CVE-2025-61664
CVSS scores:	CVE-2025-54771 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-54771 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-54771 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61661 ( SUSE ): 4.3 CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N CVE-2025-61661 ( SUSE ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2025-61661 ( NVD ): 4.8 CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2025-61662 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-61662 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61662 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61663 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-61663 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61663 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61664 ( SUSE ): 2.1 CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N CVE-2025-61664 ( SUSE ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVE-2025-61664 ( NVD ): 4.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
Affected Products:	SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security SUSE Linux Enterprise Server for SAP Applications 12 SP5

An update that solves five vulnerabilities can now be installed.

Description:

This update for grub2 fixes the following issues:

• CVE-2025-54771: Fixed rub_file_close() does not properly controls the fs refcount (bsc#1252931)
• CVE-2025-61661: Fixed out-of-bounds write in grub_usb_get_string() function (bsc#1252932)
• CVE-2025-61662: Fixed missing unregister call for gettext command may lead to use-after-free (bsc#1252933)
• CVE-2025-61663: Fixed missing unregister call for normal commands may lead to use-after-free (bsc#1252934)
• CVE-2025-61664: Fixed missing unregister call for normal_exit command may lead to use-after-free (bsc#1252935)

Other fixes:

• Bump upstream SBAT generation to 6

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
  zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2025-4197=1

Package List:

• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
  • grub2-x86_64-efi-2.02-193.1
  • grub2-debugsource-2.02-193.1
  • grub2-2.02-193.1
  • grub2-i386-pc-2.02-193.1
  • grub2-debuginfo-2.02-193.1
• SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
  • grub2-x86_64-xen-2.02-193.1
  • grub2-systemd-sleep-plugin-2.02-193.1
  • grub2-snapper-plugin-2.02-193.1

References:

• https://www.suse.com/security/cve/CVE-2025-54771.html
• https://www.suse.com/security/cve/CVE-2025-61661.html
• https://www.suse.com/security/cve/CVE-2025-61662.html
• https://www.suse.com/security/cve/CVE-2025-61663.html
• https://www.suse.com/security/cve/CVE-2025-61664.html
• https://bugzilla.suse.com/show_bug.cgi?id=1252931
• https://bugzilla.suse.com/show_bug.cgi?id=1252932
• https://bugzilla.suse.com/show_bug.cgi?id=1252933
• https://bugzilla.suse.com/show_bug.cgi?id=1252934
• https://bugzilla.suse.com/show_bug.cgi?id=1252935