========================================================================== Ubuntu Security Notice USN-7894-1 November 26, 2025
edk2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 25.04 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in EDK II. Software Description: - edk2: UEFI firmware for virtual machines Details: It was discovered that EDK II was susceptible to a predictable TCP Initial Sequence Number. An attacker could possibly use this issue to gain unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2023-45236, CVE-2023-45237) It was discovered that EDK II incorrectly handled S3 sleep. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298) It was discovered that the EDK II PE/COFF loader incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information, or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-38796) It was discovered that the EDK II PE image hashing function incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-38797) It was discovered that the EDK II BIOS incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2024-38805, CVE-2025-2295) It was discovered that EDK II incorrectly handled the enabling of MCE. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2025-3770) It was discovered that the OpenSSL library embedded in EDK II contained multiple vulnerabilties. An attacker could possibly use these issues to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2021-3712, CVE-2022-0778, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-5678, CVE-2023-6237, CVE-2024-0727, CVE-2024-13176, CVE-2024-2511, CVE-2024-41996, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143, CVE-2025-9232) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 25.04 ovmf 2025.02-3ubuntu2.2 ovmf-ia32 2025.02-3ubuntu2.2 qemu-efi-aarch64 2025.02-3ubuntu2.2 qemu-efi-arm 2025.02-3ubuntu2.2 qemu-efi-loongarch64 2025.02-3ubuntu2.2 qemu-efi-riscv64 2025.02-3ubuntu2.2 Ubuntu 24.04 LTS ovmf 2024.02-2ubuntu0.6 ovmf-ia32 2024.02-2ubuntu0.6 qemu-efi-aarch64 2024.02-2ubuntu0.6 qemu-efi-arm 2024.02-2ubuntu0.6 qemu-efi-riscv64 2024.02-2ubuntu0.6 Ubuntu 22.04 LTS ovmf 2022.02-3ubuntu0.22.04.4 ovmf-ia32 2022.02-3ubuntu0.22.04.4 qemu-efi 2022.02-3ubuntu0.22.04.4 qemu-efi-aarch64 2022.02-3ubuntu0.22.04.4 qemu-efi-arm 2022.02-3ubuntu0.22.04.4 After a standard system update you need to restart the virtual machines that use the affected firmware to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7894-1 CVE-2021-3712, CVE-2022-0778, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-45236, CVE-2023-45237, CVE-2023-5678, CVE-2023-6237, CVE-2024-0727, CVE-2024-1298, CVE-2024-13176, CVE-2024-2511, CVE-2024-38796, CVE-2024-38797, CVE-2024-38805, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143, CVE-2025-2295, CVE-2025-3770, CVE-2025-9232 Package Information: https://launchpad.net/ubuntu/+source/edk2/2025.02-3ubuntu2.2 https://launchpad.net/ubuntu/+source/edk2/2024.02-2ubuntu0.6 https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.4
signature.asc
Description: OpenPGP digital signature
