USN-7894-2

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/notices/USN-7894-2
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7894-2.json
JSON Data
https://api.test.osv.dev/v1/vulns/USN-7894-2
Published
2025-11-28T14:58:41.936735Z
Modified
2025-12-03T00:16:45.178369Z
Summary
edk2 regression
Details

USN-7894-1 fixed vulnerabilities in EDK II. The update introduced a regression in the UEFI network boot. This update reverts the corresponding fixes for CVE-2023-45236 and CVE-2023-45237 pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that EDK II was susceptible to a predictable TCP Initial Sequence Number. An attacker could possibly use this issue to gain unauthorized access. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2023-45236, CVE-2023-45237)

It was discovered that EDK II incorrectly handled S3 sleep. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-1298)

It was discovered that the EDK II PE/COFF loader incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service, obtain sensitive information, or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 24.04 LTS. (CVE-2024-38796)

It was discovered that the EDK II PE image hashing function incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2024-38797)

It was discovered that the EDK II BIOS incorrectly handled certain memory operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2024-38805, CVE-2025-2295)

It was discovered that EDK II incorrectly handled the enabling of MCE. An attacker could possibly use this issue to cause a denial of service, or execute arbitrary code. (CVE-2025-3770)

It was discovered that the OpenSSL library embedded in EDK II contained multiple vulnerabilties. An attacker could possibly use these issues to cause a denial of service, obtain sensitive information, or execute arbitrary code. (CVE-2021-3712, CVE-2022-0778, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286, CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, CVE-2023-2650, CVE-2023-3446, CVE-2023-3817, CVE-2023-5678, CVE-2023-6237, CVE-2024-0727, CVE-2024-13176, CVE-2024-2511, CVE-2024-41996, CVE-2024-4741, CVE-2024-5535, CVE-2024-6119, CVE-2024-9143, CVE-2025-9232)

References

Affected packages

Ubuntu:22.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2@2022.02-3ubuntu0.22.04.5?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2022.02-3ubuntu0.22.04.5

Affected versions

2021.*

2021.08~rc0-2
2021.08-3
2021.11~rc1-1
2021.11-1
2021.11-2

2022.*

2022.02~rc1-1
2022.02~rc1-1ubuntu1
2022.02-1
2022.02-2
2022.02-3
2022.02-3ubuntu0.22.04.1
2022.02-3ubuntu0.22.04.2
2022.02-3ubuntu0.22.04.3
2022.02-3ubuntu0.22.04.4

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2022.02-3ubuntu0.22.04.5",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.5",
            "binary_name": "ovmf-ia32"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.5",
            "binary_name": "qemu-efi"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.5",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "2022.02-3ubuntu0.22.04.5",
            "binary_name": "qemu-efi-arm"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7894-2.json"

cves_map

{
    "cves": [],
    "ecosystem": "Ubuntu:22.04:LTS"
}

Ubuntu:24.04:LTS / edk2

Package

Name
edk2
Purl
pkg:deb/ubuntu/edk2@2024.02-2ubuntu0.7?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2024.02-2ubuntu0.7

Affected versions

2023.*

2023.05-2
2023.11-2
2023.11-3
2023.11-4
2023.11-5
2023.11-6
2023.11-8

2024.*

2024.02-1
2024.02-2
2024.02-2ubuntu0.1
2024.02-2ubuntu0.3
2024.02-2ubuntu0.4
2024.02-2ubuntu0.5
2024.02-2ubuntu0.6

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "efi-shell-aa64"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "efi-shell-arm"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "efi-shell-ia32"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "efi-shell-riscv64"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "efi-shell-x64"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "ovmf"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "ovmf-ia32"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "qemu-efi-aarch64"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "qemu-efi-arm"
        },
        {
            "binary_version": "2024.02-2ubuntu0.7",
            "binary_name": "qemu-efi-riscv64"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7894-2.json"

cves_map

{
    "cves": [],
    "ecosystem": "Ubuntu:24.04:LTS"
}