CVE-2025-2296
Publication date 9 December 2025
Last updated 17 December 2025
Ubuntu priority
Description
EDK2 contains a vulnerability in BIOS where an attacker may cause “ Improper Input Validation” by local access. Successful exploitation of this vulnerability could alter control flow in unexpected ways, potentially allowing arbitrary command execution and impacting Confidentiality, Integrity, and Availability.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| edk2 | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
|
| 16.04 LTS xenial |
Needs evaluation
|
Notes
mdeslaur
fixing this requires QEMU changes, see blog post The upstream advisory says this is fixed in 2025.05, but the blog post claims this is fixed in 2025.02. Need to clarify.