[USN-7894-2] EDK II regression
[USN-7894-2] EDK II regression
==========================================================================
Ubuntu Security Notice USN-7894-2
November 28, 2025
edk2 regression
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
USN-7894-1 introduced a regression in EDK II
Software Description:
- edk2: UEFI firmware for virtual machines
Details:
USN-7894-1 fixed vulnerabilities in EDK II. The update introduced a
regression in the UEFI network boot. This update reverts the corresponding
fixes for CVE-2023-45236 and CVE-2023-45237 pending further investigation.
We apologize for the inconvenience.
Original advisory details:
It was discovered that EDK II was susceptible to a predictable TCP Initial
Sequence Number. An attacker could possibly use this issue to gain
unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2023-45236, CVE-2023-45237)
It was discovered that EDK II incorrectly handled S3 sleep. An attacker
could possibly use this issue to cause a denial of service. This issue only
affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)
It was discovered that the EDK II PE/COFF loader incorrectly handled
certain memory operations. An attacker could possibly use this issue to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu
24.04 LTS. (CVE-2024-38796)
It was discovered that the EDK II PE image hashing function incorrectly
handled certain memory operations. An attacker could possibly use this
issue to cause a denial of service, or execute arbitrary code.
(CVE-2024-38797)
It was discovered that the EDK II BIOS incorrectly handled certain memory
operations. An attacker could possibly use this issue to cause a denial of
service. (CVE-2024-38805, CVE-2025-2295)
It was discovered that EDK II incorrectly handled the enabling of MCE. An
attacker could possibly use this issue to cause a denial of service, or
execute arbitrary code. (CVE-2025-3770)
It was discovered that the OpenSSL library embedded in EDK II contained
multiple vulnerabilties. An attacker could possibly use these issues to
cause a denial of service, obtain sensitive information, or execute
arbitrary code. (CVE-2021-3712, CVE-2022-0778, CVE-2022-4304,
CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465,
CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-5678,
CVE-2023-6237, CVE-2024-0727, CVE-2024-13176, CVE-2024-2511,
CVE-2024-41996, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143,
CVE-2025-9232)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
efi-shell-aa64 2024.02-2ubuntu0.7
efi-shell-arm 2024.02-2ubuntu0.7
efi-shell-ia32 2024.02-2ubuntu0.7
efi-shell-riscv64 2024.02-2ubuntu0.7
efi-shell-x64 2024.02-2ubuntu0.7
ovmf 2024.02-2ubuntu0.7
ovmf-ia32 2024.02-2ubuntu0.7
qemu-efi-aarch64 2024.02-2ubuntu0.7
qemu-efi-arm 2024.02-2ubuntu0.7
qemu-efi-riscv64 2024.02-2ubuntu0.7
Ubuntu 22.04 LTS
ovmf 2022.02-3ubuntu0.22.04.5
ovmf-ia32 2022.02-3ubuntu0.22.04.5
qemu-efi 2022.02-3ubuntu0.22.04.5
qemu-efi-aarch64 2022.02-3ubuntu0.22.04.5
qemu-efi-arm 2022.02-3ubuntu0.22.04.5
After a standard system update you need to restart the virtual machines
that use the affected firmware to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7894-2
https://ubuntu.com/security/notices/USN-7894-1
https://launchpad.net/bugs/2133157
Package Information:
https://launchpad.net/ubuntu/+source/edk2/2024.02-2ubuntu0.7
https://launchpad.net/ubuntu/+source/edk2/2022.02-3ubuntu0.22.04.5
