Debian Package Tracker
Register | Log in
Subscribe

grub2

GRand Unified Bootloader, version 2 (dummy package)

Choose email to subscribe with

general
  • source: grub2 (main)
  • version: 2.14-3
  • maintainer: GRUB Maintainers (archive) (DMD)
  • uploaders: Jordi Mallach [DMD] – Julian Andres Klode [DMD] – Steve McIntyre [DMD] – Felix Zielcke [DMD] [DM] – Mate Kukri [DMD] [DM]
  • arch: any
  • std-ver: 3.9.6
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 2.06-3~deb11u6
  • o-o-sec: 2.06-3~deb11u7
  • o-o-upd: 2.06-3~deb11u2
  • oldstable: 2.06-13+deb12u2
  • old-sec: 2.06-13+deb12u1
  • old-bpo: 2.12-1~bpo12+1
  • stable: 2.12-9+deb13u2
  • testing: 2.14-3
  • unstable: 2.14-3
versioned links
  • 2.06-3~deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.06-3~deb11u6: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.06-3~deb11u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.06-13+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.06-13+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.12-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.12-9+deb13u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 2.14-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • grub-common (172 bugs: 0, 124, 48, 0)
  • grub-coreboot (1 bugs: 0, 0, 1, 0)
  • grub-coreboot-bin (1 bugs: 0, 1, 0, 0)
  • grub-coreboot-dbg
  • grub-efi (14 bugs: 0, 13, 1, 0)
  • grub-efi-amd64 (61 bugs: 4, 48, 9, 0)
  • grub-efi-amd64-bin (17 bugs: 0, 17, 0, 0)
  • grub-efi-amd64-dbg
  • grub-efi-amd64-signed-template
  • grub-efi-amd64-unsigned
  • grub-efi-arm (2 bugs: 0, 2, 0, 0)
  • grub-efi-arm-bin
  • grub-efi-arm-dbg
  • grub-efi-arm-unsigned
  • grub-efi-arm64 (6 bugs: 1, 5, 0, 0)
  • grub-efi-arm64-bin (1 bugs: 0, 1, 0, 0)
  • grub-efi-arm64-dbg
  • grub-efi-arm64-signed-template
  • grub-efi-arm64-unsigned
  • grub-efi-ia32 (5 bugs: 0, 4, 1, 0)
  • grub-efi-ia32-bin
  • grub-efi-ia32-dbg
  • grub-efi-ia32-signed-template
  • grub-efi-ia32-unsigned
  • grub-efi-loong64
  • grub-efi-loong64-bin
  • grub-efi-loong64-dbg
  • grub-efi-loong64-unsigned
  • grub-efi-riscv64 (1 bugs: 1, 0, 0, 0)
  • grub-efi-riscv64-bin
  • grub-efi-riscv64-dbg
  • grub-efi-riscv64-unsigned
  • grub-emu
  • grub-emu-dbg
  • grub-firmware-qemu
  • grub-ieee1275 (7 bugs: 0, 6, 1, 0)
  • grub-ieee1275-bin (1 bugs: 0, 1, 0, 0)
  • grub-ieee1275-dbg
  • grub-linuxbios
  • grub-mount-udeb
  • grub-pc (259 bugs: 1, 206, 52, 0)
  • grub-pc-bin (7 bugs: 0, 6, 1, 0)
  • grub-pc-dbg
  • grub-rescue-pc (3 bugs: 0, 1, 2, 0)
  • grub-theme-starfield
  • grub-uboot (1 bugs: 0, 1, 0, 0)
  • grub-uboot-bin
  • grub-uboot-dbg
  • grub-xen (4 bugs: 0, 2, 2, 0)
  • grub-xen-bin
  • grub-xen-dbg
  • grub-xen-host (6 bugs: 0, 6, 0, 0)
  • grub2 (69 bugs: 0, 48, 21, 0)
  • grub2-common (72 bugs: 1, 48, 23, 0)
action needed
1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:
  • CVE-2024-56738: GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
Created: 2024-12-20 Last update: 2026-07-15 15:00
1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:
  • CVE-2024-56738: GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
Created: 2025-08-09 Last update: 2026-07-15 15:00
debian/patches: 2 patches with invalid metadata, 62 patches to forward upstream high

Among the 71 debian patches available in version 2.14-3 of the package, we noticed the following issues:

  • 2 patches with invalid metadata that ought to be fixed.
  • 62 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.
Created: 2023-02-26 Last update: 2026-06-24 07:00
Standards version of the package is outdated. high
The package is severely out of date with respect to the Debian Policy. The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 3.9.6).
Created: 2016-02-06 Last update: 2026-06-24 01:30
lintian reports 473 errors and 201 warnings high
Lintian reports 473 errors and 201 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2026-01-16 Last update: 2026-02-11 05:31
63 bugs tagged patch in the BTS normal
The BTS contains patches fixing 63 bugs (77 if counting merged bugs), consider including or untagging them.
Created: 2026-06-02 Last update: 2026-07-15 14:00
Does not build reproducibly during testing normal
A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!
Created: 2022-09-24 Last update: 2026-07-15 13:33
7 open merge requests in Salsa normal
There are 7 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.
Created: 2025-08-19 Last update: 2026-03-31 21:32
8 low-priority security issues in trixie low

There are 8 open security issues in trixie.

8 issues left for the package maintainer to handle:
  • CVE-2025-4382: (needs triaging) A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern.
  • CVE-2024-56738: (postponed; to be fixed through a stable update) GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
  • CVE-2025-54770: (needs triaging) A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability
  • CVE-2025-54771: (needs triaging) A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
  • CVE-2025-61661: (needs triaging) A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.
  • CVE-2025-61662: (needs triaging) A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
  • CVE-2025-61663: (needs triaging) A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.
  • CVE-2025-61664: (needs triaging) A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-05-10 Last update: 2026-07-15 15:00
9 low-priority security issues in bookworm low

There are 9 open security issues in bookworm.

9 issues left for the package maintainer to handle:
  • CVE-2025-4382: (needs triaging) A flaw was found in systems utilizing LUKS-encrypted disks with GRUB configured for TPM-based auto-decryption. When GRUB is set to automatically decrypt disks using keys stored in the TPM, it reads the decryption key into system memory. If an attacker with physical access can corrupt the underlying filesystem superblock, GRUB will fail to locate a valid filesystem and enter rescue mode. At this point, the disk is already decrypted, and the decryption key remains loaded in system memory. This scenario may allow an attacker with physical access to access the unencrypted data without any further authentication, thereby compromising data confidentiality. Furthermore, the ability to force this state through filesystem corruption also presents a data integrity concern.
  • CVE-2024-56737: (needs triaging) GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem.
  • CVE-2024-56738: (postponed; to be fixed through a stable update) GNU GRUB (aka GRUB2) through 2.12 does not use a constant-time algorithm for grub_crypto_memcmp and thus allows side-channel attacks.
  • CVE-2025-54770: (needs triaging) A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the net_set_vlan command is not properly unregistered when the network module is unloaded from memory. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability
  • CVE-2025-54771: (needs triaging) A use-after-free vulnerability has been identified in the GNU GRUB (Grand Unified Bootloader). The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
  • CVE-2025-61661: (needs triaging) A vulnerability has been identified in the GRUB (Grand Unified Bootloader) component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a maliciously configured USB device during the boot sequence to trigger this issue. A successful exploitation may lead GRUB to crash, leading to a Denial of Service. Data corruption may be also possible, although given the complexity of the exploit the impact is most likely limited.
  • CVE-2025-61662: (needs triaging) A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the application to access a memory location that is no longer valid. An attacker could exploit this vulnerability to cause grub to crash, leading to a Denial of Service. Possible data integrity or confidentiality compromise is not discarded.
  • CVE-2025-61663: (needs triaging) A vulnerability has been identified in the GRUB2 bootloader's normal command that poses an immediate Denial of Service (DoS) risk. This flaw is a Use-after-Free issue, caused because the normal command is not properly unregistered when the module is unloaded. An attacker who can execute this command can force the system to access memory locations that are no longer valid. Successful exploitation leads directly to system instability, which can result in a complete crash and halt system availability. Impact on the data integrity and confidentiality is also not discarded.
  • CVE-2025-61664: (needs triaging) A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normal_exit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after the module has been removed, causing the system to improperly access a previously freed memory location. This leads to a system crash or possible impacts in data confidentiality and integrity.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-12-20 Last update: 2026-07-15 15:00
Issues found with some translations low

Automatic checks made by the Debian l10n team found some issues with the translations contained in this package. You should check the l10n status report for more information.

Issues can be things such as missing translations, problematic translated strings, outdated PO files, unknown languages, etc.

Created: 2020-02-26 Last update: 2026-02-07 14:32
news
[rss feed]
  • [2026-07-15] Accepted grub2 2.06-3~deb11u7 (source) into oldoldstable-security (Emilio Pozuelo Monfort)
  • [2026-06-25] grub2 2.14-3 MIGRATED to testing (Debian testing watch)
  • [2026-06-23] Accepted grub2 2.14-3 (source) into unstable (Mate Kukri)
  • [2026-05-03] Accepted grub2 2.12-9+deb13u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Aurelien Jarno)
  • [2026-05-03] Accepted grub2 2.06-13+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Steve McIntyre)
  • [2026-04-20] grub2 2.14-2 MIGRATED to testing (Debian testing watch)
  • [2026-03-06] Accepted grub2 2.12-9+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Shengqi Chen)
  • [2026-02-10] Accepted grub2 2.14-2 (source) into unstable (Mate Kukri) (signed by: Julian Andres Klode)
  • [2026-02-06] Accepted grub2 2.14-1 (source) into unstable (Mate Kukri) (signed by: Julian Andres Klode)
  • [2025-12-05] grub2 2.14~git20250718.0e36779-2 MIGRATED to testing (Debian testing watch)
  • [2025-11-02] Accepted grub2 2.14~git20250718.0e36779-2 (source) into unstable (Julian Andres Klode)
  • [2025-08-12] Accepted grub2 2.14~git20250718.0e36779-1 (source) into experimental (Mate Kukri) (signed by: Julian Andres Klode)
  • [2025-07-09] grub2 2.12-9 MIGRATED to testing (Debian testing watch)
  • [2025-07-03] Accepted grub2 2.12-9 (source) into unstable (Felix Zielcke)
  • [2025-06-18] grub2 2.12-8 MIGRATED to testing (Debian testing watch)
  • [2025-06-11] Accepted grub2 2.12-8 (source) into unstable (Felix Zielcke)
  • [2025-03-23] grub2 2.12-7 MIGRATED to testing (Debian testing watch)
  • [2025-03-15] Accepted grub2 2.12-7 (source) into unstable (Felix Zielcke)
  • [2025-03-13] Accepted grub2 2.12-6 (source) into unstable (Mate Kukri) (signed by: Julian Andres Klode)
  • [2024-07-21] grub2 2.12-5 MIGRATED to testing (Debian testing watch)
  • [2024-07-15] Accepted grub2 2.12-5 (source) into unstable (Felix Zielcke)
  • [2024-07-10] Accepted grub2 2.12-4 (source) into unstable (Felix Zielcke)
  • [2024-05-03] grub2 2.12-2 MIGRATED to testing (Debian testing watch)
  • [2024-04-25] Accepted grub2 2.12-3 (source amd64) into experimental (Debian FTP Masters) (signed by: Julian Andres Klode)
  • [2024-04-07] grub2 2.12-2~deb13u1 MIGRATED to testing (Debian testing watch)
  • [2024-04-05] Accepted grub2 2.12-2 (source) into unstable (Julian Andres Klode)
  • [2024-04-05] Accepted grub2 2.12-2~deb13u1 (source) into testing-proposed-updates (Julian Andres Klode)
  • [2024-04-03] Accepted grub2 2.12-1.1 (source) into unstable (Bastian Blank)
  • [2024-03-13] Accepted grub2 2.12-1~bpo12+1 (source amd64) into stable-backports (Debian FTP Masters) (signed by: John Goerzen)
  • [2024-02-01] grub2 2.12-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 735 768
  • RC: 10
  • I&N: 555 579
  • M&W: 168 177
  • F&P: 2
  • patch: 63 77
links
  • homepage
  • lintian (473, 201)
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • screenshots
  • l10n (89, 79)
  • debian patches
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 2.14-2ubuntu3
  • patches for 2.14-2ubuntu3

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing