CVE-2025-2296

NameCVE-2025-2296
DescriptionEDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
edk2 (PTS)bullseye2020.11-2+deb11u2vulnerable
bullseye (security)2020.11-2+deb11u3vulnerable
bookworm2022.11-6+deb12u2vulnerable
bookworm (security)2022.11-6+deb12u1vulnerable
trixie2025.02-8fixed
forky2025.02-9fixed
sid2025.08.01-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
edk2source(unstable)2025.02-1

Notes

https://github.com/tianocore/edk2/security/advisories/GHSA-6pp6-cm5h-86g5
https://github.com/tianocore/edk2/pull/10628
Search for package or bug name: Reporting problems