CVE-2025-61661: 
Linux Debian vulnerability analysis and mitigation

A vulnerability (CVE-2025-61661) has been identified in the GRUB (Grand Unified Bootloader) component. The flaw occurs when the bootloader mishandles string conversion while reading information from a USB device, allowing an attacker to exploit inconsistent length values. This vulnerability was discovered and reported by Jamie, with initial disclosure on November 18, 2025 (NVD, Red Hat).

The vulnerability stems from an incorrect length field used for buffer allocation in the grubusbget_string() function. When reading strings from a USB device, the initial length is taken from the first message read and used for memory allocation. However, during conversion, the length value is taken from a second USB device read, potentially leading to a mismatch between allocated buffer size and actual data length. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H (NVD, Ubuntu).

A successful exploitation of this vulnerability may lead to GRUB crashing, resulting in a Denial of Service condition. Additionally, data corruption is possible, though the impact is likely limited due to the complexity of the exploit. The vulnerability affects the system's boot process when a maliciously configured USB device is present (NVD).

A patch has been developed that corrects the string length field usage in the USB test command. The fix ensures the correct length value is used for buffer allocation by replacing descstr.length with descstrp->length in the affected code. The patch has been reviewed and signed off by Daniel Kiper (Openwall).