CVE-2024-38798

NameCVE-2024-38798
DescriptionEDK2 contains a vulnerability in BIOS where an attacker may cause “Exposure of Sensitive Information to an Unauthorized Actor” by local access. Successful exploitation of this vulnerability will lead to possible information disclosure or escalation of privilege and impact Confidentiality.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1122288

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
edk2 (PTS)bullseye2020.11-2+deb11u2vulnerable
bullseye (security)2020.11-2+deb11u3vulnerable
bookworm2022.11-6+deb12u2vulnerable
bookworm (security)2022.11-6+deb12u1vulnerable
trixie2025.02-8vulnerable
forky2025.02-9vulnerable
sid2025.08.01-6vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
edk2source(unstable)(unfixed)1122288

Notes

https://github.com/tianocore/edk2/security/advisories/GHSA-q2c6-37h5-7cwf
Fixed by: https://github.com/tianocore/edk2/commit/0cad130cb4885961da201bb9b08424b3fd3d2249 (edk2-stable202511)
Search for package or bug name: Reporting problems