UBUNTU-CVE-2025-2486

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2025-2486
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-2486.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-2486
Upstream
Published
2025-11-26T18:15:00Z
Modified
2026-01-20T18:16:25.730816Z
Severity
  • 3.7 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:U CVSS Calculator
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decision to continue running inside the Shell itself, which is believed to be sufficient to enforce Secure Boot restrictions. This is an additional repair on top of the incomplete fix for CVE-2023-48733.

References

Affected packages

Ubuntu:24.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2@2024.02-2ubuntu0.3?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2024.02-2ubuntu0.3

Affected versions

2023.*
2023.05-2
2023.11-2
2023.11-3
2023.11-4
2023.11-5
2023.11-6
2023.11-8
2024.*
2024.02-1
2024.02-2
2024.02-2ubuntu0.1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "efi-shell-aa64",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "efi-shell-arm",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "efi-shell-ia32",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "efi-shell-riscv64",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "efi-shell-x64",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "ovmf",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "ovmf-ia32",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "qemu-efi-aarch64",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "qemu-efi-arm",
            "binary_version": "2024.02-2ubuntu0.3"
        },
        {
            "binary_name": "qemu-efi-riscv64",
            "binary_version": "2024.02-2ubuntu0.3"
        }
    ],
    "availability": "No subscription required"
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-2486.json"