diff --git a/debian/changelog b/debian/changelog
index ba8e3b68cb6b1671486a96abe27156674af066d9..0747de6f9719b3c2c8d8b813733780b636e0690c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,10 @@ grub2 (2.06-6) UNRELEASED; urgency=high
   [ Steve McIntyre ]
   * Include fonts in the memdisk build for EFI images.
     Closes: #1024395, #1025352, #1024447
+  * Bump Debian SBAT level to 4
+    - Due to a mistake in the buster upload (2.06-3~deb10u2) that left
+      the CVE-2022-2601 bugs in place, we need to bump SBAT for all of
+      the Debian GRUB binaries. :-(
 
  -- Steve McIntyre <93sam@debian.org>  Sun, 13 Nov 2022 00:33:35 +0000
 
diff --git a/debian/sbat.debian.csv.in b/debian/sbat.debian.csv.in
index 5225c904af4c30ddbf7e233b0fbeea16e8754e40..8aa3c412ea5a3d113cec56960c6928ac0dc014da 100644
--- a/debian/sbat.debian.csv.in
+++ b/debian/sbat.debian.csv.in
@@ -1,3 +1,3 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 grub,3,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
-grub.debian,1,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2
+grub.debian,4,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2