{"id":"USN-7894-2","summary":"edk2 regression","details":"USN-7894-1 fixed vulnerabilities in EDK II. The update introduced a\nregression in the UEFI network boot. This update reverts the corresponding\nfixes for CVE-2023-45236 and CVE-2023-45237 pending further investigation.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\n It was discovered that EDK II was susceptible to a predictable TCP Initial\n Sequence Number. An attacker could possibly use this issue to gain\n unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu\n 24.04 LTS. (CVE-2023-45236, CVE-2023-45237)\n\n It was discovered that EDK II incorrectly handled S3 sleep. An attacker\n could possibly use this issue to cause a denial of service. This issue only\n affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)\n\n It was discovered that the EDK II PE/COFF loader incorrectly handled\n certain memory operations. An attacker could possibly use this issue to\n cause a denial of service, obtain sensitive information, or execute\n arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu\n 24.04 LTS. (CVE-2024-38796)\n\n It was discovered that the EDK II PE image hashing function incorrectly\n handled certain memory operations. An attacker could possibly use this\n issue to cause a denial of service, or execute arbitrary code.\n (CVE-2024-38797)\n\n It was discovered that the EDK II BIOS incorrectly handled certain memory\n operations. An attacker could possibly use this issue to cause a denial of\n service. (CVE-2024-38805, CVE-2025-2295)\n\n It was discovered that EDK II incorrectly handled the enabling of MCE. An\n attacker could possibly use this issue to cause a denial of service, or\n execute arbitrary code. (CVE-2025-3770)\n\n It was discovered that the OpenSSL library embedded in EDK II contained\n multiple vulnerabilties. An attacker could possibly use these issues to\n cause a denial of service, obtain sensitive information, or execute\n arbitrary code. (CVE-2021-3712, CVE-2022-0778, CVE-2022-4304,\n CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,\n CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-5678,\n CVE-2023-6237, CVE-2024-0727, CVE-2024-13176, CVE-2024-2511,\n CVE-2024-41996, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143,\n CVE-2025-9232)","modified":"2026-02-10T04:50:36Z","published":"2025-11-28T14:58:41Z","related":["UBUNTU-CVE-2023-45236","UBUNTU-CVE-2023-45237"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7894-2"},{"type":"REPORT","url":"https://launchpad.net/bugs/2133157"}],"affected":[{"package":{"name":"edk2","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/edk2@2022.02-3ubuntu0.22.04.5?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2022.02-3ubuntu0.22.04.5"}]}],"versions":["2021.08~rc0-2","2021.08-3","2021.11~rc1-1","2021.11-1","2021.11-2","2022.02~rc1-1","2022.02~rc1-1ubuntu1","2022.02-1","2022.02-2","2022.02-3","2022.02-3ubuntu0.22.04.1","2022.02-3ubuntu0.22.04.2","2022.02-3ubuntu0.22.04.3","2022.02-3ubuntu0.22.04.4"],"ecosystem_specific":{"binaries":[{"binary_version":"2022.02-3ubuntu0.22.04.5","binary_name":"ovmf"},{"binary_version":"2022.02-3ubuntu0.22.04.5","binary_name":"ovmf-ia32"},{"binary_version":"2022.02-3ubuntu0.22.04.5","binary_name":"qemu-efi"},{"binary_version":"2022.02-3ubuntu0.22.04.5","binary_name":"qemu-efi-aarch64"},{"binary_version":"2022.02-3ubuntu0.22.04.5","binary_name":"qemu-efi-arm"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7894-2.json"}},{"package":{"name":"edk2","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/edk2@2024.02-2ubuntu0.7?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2024.02-2ubuntu0.7"}]}],"versions":["2023.05-2","2023.11-2","2023.11-3","2023.11-4","2023.11-5","2023.11-6","2023.11-8","2024.02-1","2024.02-2","2024.02-2ubuntu0.1","2024.02-2ubuntu0.3","2024.02-2ubuntu0.4","2024.02-2ubuntu0.5","2024.02-2ubuntu0.6"],"ecosystem_specific":{"binaries":[{"binary_version":"2024.02-2ubuntu0.7","binary_name":"efi-shell-aa64"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"efi-shell-arm"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"efi-shell-ia32"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"efi-shell-riscv64"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"efi-shell-x64"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"ovmf"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"ovmf-ia32"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"qemu-efi-aarch64"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"qemu-efi-arm"},{"binary_version":"2024.02-2ubuntu0.7","binary_name":"qemu-efi-riscv64"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7894-2.json"}}],"schema_version":"1.7.3"}